Security Best Practices
Protect your integration and your customers with these security recommendations.
Non-Custodial by Design
PayHub never holds your funds. Payments go directly from your customers to your wallet addresses. This means there's no custodial risk - even if PayHub were compromised, your funds remain safe.
API Key Security
Never expose keys in client-side code
API keys should only be used server-side. Never include them in JavaScript that runs in the browser, mobile apps, or any code that users can inspect.
Use environment variables
Store API keys in environment variables, not in your codebase. Use a secrets manager for production deployments.
Rotate keys regularly
Periodically rotate your API keys, especially after team member departures. You can have multiple active keys to enable zero-downtime rotation.
Use separate keys per environment
Use different API keys for development, staging, and production. This limits blast radius if a key is compromised.
Webhook Security
Always verify signatures
Never process webhooks without verifying the signature first. This prevents attackers from forging webhook events.
Verify the signature
Use the SDK's built-in verification or implement HMAC-SHA256 verification manually. Compare signatures using constant-time comparison to prevent timing attacks.
Check the timestamp
Reject webhooks with timestamps older than 5 minutes to prevent replay attacks. The timestamp is included in the signature verification.
Use HTTPS endpoints
Only configure HTTPS webhook URLs. PayHub will not deliver webhooks to HTTP endpoints.
Verify with the API
After receiving a webhook, call the API to verify the payment status before fulfilling orders. This provides defense in depth.
Payment Verification
Wait for confirmations
Don't fulfill orders until the payment is confirmed. Unconfirmed transactions can be reversed through blockchain reorganizations.
Verify the amount
Check that the received amount matches the expected amount. Handle underpayments and overpayments according to your business logic.
Use idempotency
Use idempotency keys when creating payments to prevent duplicate charges if your request is retried.
Infrastructure Security
TLS 1.3
All API communication uses TLS 1.3 encryption
SOC 2 Compliant
Infrastructure meets SOC 2 Type II requirements
DDoS Protection
Enterprise-grade DDoS mitigation
24/7 Monitoring
Continuous security monitoring and alerting
Security Reporting
If you discover a security vulnerability, please report it responsibly:
Email us at security@payhub.work with details of the vulnerability. We'll respond within 24 hours.
We offer a bug bounty program for qualifying vulnerabilities.