HomeGuidesAPI Reference
Guides

Additional Security Features

Payitoff's API offers multiple layers of security depending on your requirements.

IP Allow-Listing

IP Allow-Listing in our REST and GraphQL APIs ensures that your API key can be used only from originating IP addresses your specify.

Requirements


mTLS

Payitoff exclusively uses HTTPS (via TLS) for all web traffic so you can verify our servers' authenticity. By additionally enabling mutual TLS (mTLS), you can have Payitoff's API require client authentication over TLS. With mTLS enabled, all API traffic will require bidirectional authentication over TLS in addition to API-key verification.

Requirements

  • Provide your public key certificate (in PEM format) to your Payitoff rep for initial setup.
  • Use mtls.payitoff-sandbox.io (testing) and mtls.payitoff.io (production) as the hostname for all API requests.
  • You will need to include your certificate in web requests using your HTTP client of choice.

JavaScript Object Signing and Encryption (JOSE)

Payitoff's REST API version 3 supports JOSE, also known as JSON Web Signatures (JWS) and JSON Web Encryption (JWE), as an optional additional layer of security. With JOSE enabled, all JSON API requests and responses are required to be both signed (to detect tampering) and encrypted (to prevent interception).

Requirements

  • Provide your public JSON Web Key (JWK) to your Payitoff rep for initial setup.
  • When making API requests, use the Content-type: application/jose and Accept: application/jose headers. Sign and then encrypt request bodies, and decrypt and then verify response bodies.

Contact Us

To enable any of these features, contact your Payitoff rep or email [email protected].


What’s Next