Additional Security Features
Payitoff's API offers multiple layers of security depending on your requirements.
IP Allow-Listing
IP Allow-Listing in our REST and GraphQL APIs ensures that your API key can be used only from originating IP addresses your specify.
Requirements
- Provide a list of CIDR blocks (or IP addresses) to your Payitoff rep.
mTLS
Payitoff exclusively uses HTTPS (via TLS) for all web traffic so you can verify our servers' authenticity. By additionally enabling mutual TLS (mTLS), you can have Payitoff's API require client authentication over TLS. With mTLS enabled, all API traffic will require bidirectional authentication over TLS in addition to API-key verification.
Requirements
- Provide your public key certificate (in PEM format) to your Payitoff rep for initial setup.
- Use mtls.payitoff-sandbox.io (testing) and mtls.payitoff.io (production) as the hostname for all API requests.
- You will need to include your certificate in web requests using your HTTP client of choice.
JavaScript Object Signing and Encryption (JOSE)
Payitoff's REST API version 3 supports JOSE, also known as JSON Web Signatures (JWS) and JSON Web Encryption (JWE), as an optional additional layer of security. With JOSE enabled, all JSON API requests and responses are required to be both signed (to detect tampering) and encrypted (to prevent interception).
Requirements
- Provide your public JSON Web Key (JWK) to your Payitoff rep for initial setup.
- When making API requests, use the
Content-type: application/joseandAccept: application/joseheaders. Sign and then encrypt request bodies, and decrypt and then verify response bodies.
Contact Us
To enable any of these features, contact your Payitoff rep or email [email protected].
Updated 3 months ago