LakiPay logodocs
back

Best Practices & Security

Security guidelines, optimization tips, and best practices for integrating LakiPay into your application.

API Key Management

Never Expose API Keys

Never commit API keys to version control or expose them in client-side code. Use environment variables or secure secret management systems.

Use Separate Keys for Test and Production

Maintain separate API keys for testing and production environments to prevent accidental transactions.

Rotate Keys Regularly

Rotate your API keys periodically (every 90 days recommended) and immediately if you suspect compromise.

Restrict Key Permissions

Use the minimum required permissions for each API key. Create separate keys for different operations if needed.

Monitor Key Usage

Regularly review API key usage logs in your dashboard to detect unauthorized access or unusual activity.

Webhook Security

Critical Security Requirement

Always verify webhook signatures before processing. Never trust webhook requests without signature verification, even if they appear to come from LakiPay IP addresses.

Always Verify Signatures

Every webhook must be verified using RSA-2048 signature verification before processing.

Use HTTPS Endpoints

Always use HTTPS for webhook URLs to encrypt data in transit.

Implement Idempotency

Use transaction_id as an idempotency key to prevent duplicate processing of the same webhook.

Respond Quickly

Respond to webhook requests within 5 seconds. Process webhooks asynchronously if needed.

Log All Webhooks

Log all incoming webhooks (including failed verifications) for security auditing and debugging.

Testing Guidelines

Use Test API Keys

Always use test API keys during development. Test keys don't process real transactions.

Test All Scenarios

Test successful payments, failures, cancellations, and edge cases like duplicate requests.

Test Webhook Handling

Use webhook testing tools or mock webhook requests to test your webhook handler thoroughly.

Validate Error Handling

Test how your application handles API errors, network failures, and timeout scenarios.

Test Idempotency

Verify that duplicate requests with the same reference ID are handled correctly.

General Security Best Practices

  • Keep your API keys and webhook secrets secure and never share them
  • Use environment variables for configuration, never hardcode secrets
  • Implement rate limiting to prevent abuse
  • Validate all input data before sending API requests
  • Monitor API usage and set up alerts for unusual activity
  • Keep your integration code updated and follow security patches
  • Use HTTPS for all API communications
  • Implement proper logging without exposing sensitive data