Security Guide

Learn about security best practices and features in the PayVanta API.

Overview

Security is crucial for:

  • Protecting sensitive data
  • Preventing unauthorized access
  • Ensuring compliance
  • Maintaining trust

API Authentication

// Store API credentials in environment variables
const API_KEY = process.env.PAYVANTA_API_KEY;
const API_SECRET = process.env.PAYVANTA_API_SECRET;
 
// Use environment variables
const key = process.env.PAYVANTA_API_KEY;

API Requests

const response = await fetch("https://api.payvanta.com/v1/balance", {
  headers: {
    'Authorization': `Basic ${base64EncodedCredentials}`,
    'Content-Type': 'application/json'
  }
});

2. JWT Authentication

// Get JWT token
const token = await api.auth.getToken({
  key: API_KEY,
  secret: API_SECRET
});
 
// Use token in requests
const response = await fetch("https://api.finwolf.com/v1/balance", {
  headers: {
    "Authorization": `Bearer ${token}`
  }
});

3. Token Management

class TokenManager {
  constructor() {
    this.token = null;
    this.expiry = null;
  }
 
  async getToken() {
    if (!this.token || this.isExpired()) {
      await this.refreshToken();
    }
    return this.token;
  }
 
  isExpired() {
    return Date.now() >= this.expiry;
  }
}

IP Whitelisting

1. Configure IPs

// Add IP to whitelist
await api.security.whitelistIP({
  ip: "203.0.113.1",
  description: "Production Server"
});
 
// Remove IP from whitelist
await api.security.removeIP("203.0.113.1");

2. IP Management

  • Add production IPs only
  • Remove unused IPs
  • Monitor access
  • Update regularly

3. Best Practices

  • Use static IPs
  • Document IP usage
  • Regular audits
  • Monitor changes

Webhook Security

1. Webhook Signatures

// Verify webhook signature
function verifyWebhook(payload, signature) {
  const expectedSignature = crypto
    .createHmac("sha256", WEBHOOK_SECRET)
    .update(JSON.stringify(payload))
    .digest("hex");
    
  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}

2. Webhook Configuration

// Configure webhook
await api.webhooks.create({
  url: "https://your-domain.com/webhook",
  events: ["payout.completed", "payout.failed"],
  secret: "whsec_123456"
});

3. Best Practices

  • Use HTTPS
  • Verify signatures
  • Handle retries
  • Monitor failures

Data Security

1. Encryption

// Encrypt sensitive data
function encryptData(data, key) {
  const cipher = crypto.createCipher("aes-256-gcm", key);
  let encrypted = cipher.update(JSON.stringify(data), "utf8", "hex");
  encrypted += cipher.final("hex");
  return {
    data: encrypted,
    iv: cipher.getAuthTag()
  };
}

2. Secure Storage

  • Use environment variables
  • Encrypt sensitive data
  • Regular key rotation
  • Access logging

3. Data Handling

  • Minimize data retention
  • Secure transmission
  • Regular audits
  • Access controls

Compliance

1. PCI DSS

  • Secure card data
  • Regular audits
  • Access controls
  • Monitoring

2. GDPR

  • Data minimization
  • User consent
  • Right to erasure
  • Data portability

3. Local Regulations

  • KYC/KYB compliance
  • Transaction limits
  • Reporting requirements
  • Documentation

Best Practices

  1. Authentication

    • Use strong keys
    • Implement 2FA
    • Regular rotation
    • Monitor access

  2. Data Protection

    • Encrypt sensitive data
    • Secure transmission
    • Access controls
    • Regular audits

  3. Monitoring

    • Track access
    • Monitor changes
    • Alert on issues
    • Regular reviews

Next Steps