Security Best Practices
Keep your integration secure and protect user data
API Keys
Critical: Never Expose API Keys
Keep API keys server-side only. Never commit them to version control or expose them in client-side code.
Best Practices
Keep API keys server-side only
Never commit keys to version control
Use environment variables for configuration
Rotate keys if compromised
Use test keys (sk_test_) for development
Use live keys (sk_live_) only in production
Receipt Verification
Always verify receipt signatures to ensure payment integrity:
import crypto from 'crypto';
function verifyReceipt(receipt, signature, secret) {
const { signature: _, ...payload } = receipt;
const message = JSON.stringify(payload, Object.keys(payload).sort());
const expected = crypto
.createHmac('sha256', secret)
.update(message)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature)
);
}Idempotency
Use idempotency keys to prevent duplicate charges:
Generate unique keys per request
Use UUIDs or cryptographically random strings
Store keys with user sessions
Retry with the same key on failure
Webhook Security
Always verify webhook signatures
Use HTTPS endpoints only
Implement rate limiting
Log all webhook events
Rotate webhook secrets periodically
User Data
Store minimal user information
Hash or encrypt sensitive data
Comply with GDPR/privacy regulations
Provide data export/deletion capabilities
Rate Limiting
Implement rate limiting on your endpoints:
Limit requests per user/IP
Use exponential backoff for retries
Return 429 status for exceeded limits
HTTPS Only
Use HTTPS Everywhere
Always use HTTPS for all communications including API requests, webhook endpoints, and WebApp payment flows.
Monitoring
Monitor API usage patterns
Set up alerts for anomalies
Track failed payment attempts
Review logs regularly
Incident Response
Have a plan for security incidents:
1
Rotate compromised keys immediately2
Notify affected users3
Review logs for unauthorized access4
Document the incident5
Implement preventive measures