Security
This is money. Security is layered end-to-end, and you share responsibility for the parts on your side.
On our side
TLS 1.2+ on every endpoint — plaintext HTTP is rejected.
Scoped tokens — a token only ever sees its own app's data; it cannot read other accounts.
Signed webhooks — every delivery carries an HMAC-SHA256 signature you can verify.
Secrets hashed at rest; rotation revokes all live tokens instantly.
Server-side limits — per-transaction, daily, monthly and balance caps enforced at the ledger, so a compromised key can't drain an account.
On your side
Keep
client_secretand the webhook signing secret server-side only. Never ship them to a browser or app.Verify every webhook signature before acting (see Webhooks).
Use
idemkeys so a retry or replay can't double-charge.Restrict who can read your keys; rotate immediately if a secret may have leaked.
Validate amounts and references server-side before fulfilling — never trust client-supplied totals.
Never embed the secret in the browser
If you need to collect from a web page, keep the secret on your server and call PesaBridge from there. A leaked secret can mint tokens until you rotate it.

