Skip to main content

Security Overview

This guide covers security best practices for integrating with the TxnCheck API, protecting your API keys, and handling sensitive data.

Security Architecture

Key Security Principles

Defense in Depth

Multiple layers of security controls to protect against various attack vectors

Least Privilege

Grant minimum necessary permissions for API keys and service accounts

Zero Trust

Verify every request, even from internal systems

Audit Everything

Log all API interactions for compliance and incident response

Authentication Security

API Key Protection

Your API key grants access to paid services and sensitive verification data. Treat it like a password.
Do:
  • Store API keys in a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.)
  • Use environment variables, never hardcode keys
  • Rotate keys periodically (every 90 days recommended)
  • Use separate keys for development, staging, and production
Don’t:
  • Commit API keys to version control
  • Share keys via email or chat
  • Log API keys in application logs
  • Expose keys in client-side code
Enable HMAC-SHA256 request signing for additional security:
Request signing provides:
  • Integrity: Ensures request wasn’t modified in transit
  • Replay Protection: Timestamp prevents replay attacks
  • Non-repudiation: Proves request originated from your system

Transport Security

HTTPS Requirements

All API communication must use HTTPS with TLS 1.2 or higher:

Certificate Validation

Always validate SSL certificates:

Input Validation

Always validate input before sending to the API:

Rate Limiting

Implement client-side rate limiting to avoid hitting API limits:

Webhook Security

Signature Verification

Always verify webhook signatures to ensure authenticity:

Webhook Endpoint Security

Secure your webhook endpoint:

Error Handling Security

Don’t Expose Internal Errors

Secure Logging

Log enough for debugging without exposing sensitive data:

Security Checklist

Before going to production, verify:
  • API keys stored in secrets manager
  • No keys in source code or version control
  • Separate keys for dev/staging/production
  • Key rotation process documented
  • All API calls use HTTPS
  • Certificate validation enabled
  • No sensitive data in URLs (use POST body)
  • Mobile numbers validated before API calls
  • VPA formats validated
  • Input sanitization in place
  • Signature verification implemented
  • Timestamp validation (replay protection)
  • Rate limiting on webhook endpoint
  • HTTPS-only webhook URL
  • Sensitive data masked in logs
  • API errors logged for debugging
  • Alerting on unusual patterns
  • Audit trail for compliance

Incident Response

If you suspect your API key has been compromised:
  1. Immediately rotate the API key in your dashboard
  2. Review recent API usage for unauthorized calls
  3. Check your systems for the source of the leak
  4. Update all deployed applications with new keys
  5. Contact TxnCheck support if needed

API Keys

Detailed guide on managing API keys

Data Handling

Handling PII and sensitive data

Compliance

Regulatory compliance guidance

Authentication

API authentication details