Security

Security best practices for integrators

Five habits keep an integration safe: guard the secret, scope narrowly, verify every webhook, TLS everywhere, and rotate on a schedule. None is optional in production.

2 min read

Secret server-sideNever client
Least privilegeScope narrowly
VerifyEvery webhook

Protect the credential

The client_secret is the keys to the partner ring. Keep it server-side only, in a secrets manager or environment variable — never in a repo, a browser bundle or a mobile app. Scope every token to only what it uses (least privilege), so a leak is bounded, and rotate on a schedule.

Verify what comes in

Never trust an unverified webhook — recompute its HMAC signature over the raw body in constant time before acting. Reject on mismatch. This is the single most important control on the receiving side, because a webhook drives real state in your system.

Transport and hygiene

Use TLS for every call — the API is HTTPS-only. Do not log tokens or secrets; redact them in error reporting. Prefer local JWKS verification for throughput but introspect where instant revocation matters. Run one project per workload for isolation.

Frequently asked questions

Where should the client secret live?

In a server-side secrets manager or environment variable, never in client code, a browser bundle, a mobile app or version control. If it ever leaks, rotate it immediately.

What is the highest-value control on the webhook side?

Signature verification. Recompute the HMAC over the raw body in constant time and reject on mismatch before doing anything — an unverified webhook could be forged and would drive real state changes.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.