Security

This is money. Security is layered end-to-end, and you share responsibility for the parts on your side.

On our side

  • TLS 1.2+ on every endpoint — plaintext HTTP is rejected.

  • Scoped tokens — a token only ever sees its own app's data; it cannot read other accounts.

  • Signed webhooks — every delivery carries an HMAC-SHA256 signature you can verify.

  • Secrets hashed at rest; rotation revokes all live tokens instantly.

  • Server-side limits — per-transaction, daily, monthly and balance caps enforced at the ledger, so a compromised key can't drain an account.

On your side

  • Keep client_secret and the webhook signing secret server-side only. Never ship them to a browser or app.

  • Verify every webhook signature before acting (see Webhooks).

  • Use idem keys so a retry or replay can't double-charge.

  • Restrict who can read your keys; rotate immediately if a secret may have leaked.

  • Validate amounts and references server-side before fulfilling — never trust client-supplied totals.

Never embed the secret in the browser

If you need to collect from a web page, keep the secret on your server and call PesaBridge from there. A leaked secret can mint tokens until you rotate it.

Was this page helpful?