Security Best Practices
Follow these security guidelines to ensure your integration with the Pagamio API remains secure and compliant.
API Authentication
Bearer Token Storage
- ✅ Store tokens in environment variables or secure vaults
- ✅ Never hardcode tokens in your source code
- ✅ Use different tokens for different environments
- ❌ Don't commit tokens to version control
- ❌ Don't expose tokens in client-side code or logs
Token Rotation
- Generate new tokens every hour using the
/auth/tokenendpoint - Implement automatic token refresh before expiration
- Monitor token usage for unusual patterns
- Revoke compromised tokens immediately
Secure Communication
HTTPS Only
- All API requests must use HTTPS
- Never make requests over HTTP
- Validate SSL/TLS certificates
- Use TLS 1.2 or higher
IP Whitelisting
- Configure allowed IP addresses in the Partner Portal
- Restrict API access to known server IPs only
- Update whitelist when infrastructure changes
- Monitor for unauthorized access attempts
Error Handling
Safe Error Messages
- ❌ Don't expose sensitive data in error messages
- ❌ Don't reveal system architecture details
- ✅ Log detailed errors server-side
- ✅ Return generic messages to clients
Example:
// ❌ Bad - exposes details
"Database connection failed at 10.0.0.5:3306";
// ✅ Good - generic
"Service temporarily unavailable. Please try again.";
Request Validation
Input Sanitization
- Validate all input data before sending to the API
- Check data types, formats, and ranges
- Sanitize user input to prevent injection attacks
- Use allowlists for expected values
Required Fields Only
- Only send required and necessary fields
- Remove empty or null values before sending
- Keep request payloads minimal
- Use the
additionalInfofield carefully
Logging and Monitoring
What to Log
- ✅ All API requests and responses (excluding sensitive data)
- ✅ Authentication attempts
- ✅ Error occurrences
- ✅ Transaction outcomes
What NOT to Log
- ❌ Bearer tokens or credentials
- ❌ PII (ID numbers, addresses)
- ❌ Card numbers or CVV codes
- ❌ Raw passwords
Log Retention
- Store logs securely with encryption
- Implement log rotation policies
- Retain logs for audit purposes
- Control access to log files
Network Security
Firewall Configuration
- Configure firewalls to allow only necessary traffic
- Restrict outbound connections to Pagamio API endpoints only
- Monitor network traffic for anomalies
- Implement DDoS protection
Rate Limiting
- Respect API rate limits (100 requests/minute)
- Implement client-side rate limiting
- Use exponential backoff for retries
- Cache responses where appropriate
Security Checklist
Before going to production, ensure:
- ✅ All credentials stored securely in environment variables
- ✅ HTTPS enforced for all API calls
- ✅ Token refresh mechanism implemented
- ✅ Error handling doesn't expose sensitive info
- ✅ Input validation implemented
- ✅ Logging configured (excluding sensitive data)
- ✅ IP whitelist configured
- ✅ Rate limiting and retry logic implemented
- ✅ Security audit completed
- ✅ PCI and POPIA compliance verified
- ✅ Monitoring and alerting configured
- ✅ Incident response plan documented
Incident Response
If you suspect a security breach:
- Immediate Action: Revoke all API tokens
- Assess Impact: Review logs for unauthorized access
- Notify Pagamio: Contact [email protected] immediately
- Generate New Credentials: Create new tokens after investigation
- Document: Record incident details and response actions
Regular Security Reviews
- Conduct security audits quarterly
- Review and update access controls
- Test incident response procedures
- Stay updated on security advisories from Pagamio
- Train development team on security practices
Last updated: October 2025