Security

Security & Anti-Replay

  • HTTPS only.
  • code is one-time, TTL 2-5 minutes. Store used code/state pairs.
  • Validate Bearer api_key.
  • For webhook, verify HMAC (X-Cryptopass-Signature) and/or Bearer webhook_api_key.
  • Apply rate limits, log requests/responses (redact secrets).

Important: do not log api_key, webhook_secret, or user tokens.

Previous
Webhook
Next
Keys and Rotation