Technical and Security Aspects
Technical and Security Aspects of our Cashout endpoint
Security Considerations
All API requests must be made over HTTPS. Calls made over plain HTTP will fail.
API requests without Payload-signature will also fail.
You will be able to hit our APIs only from the IPs you have previously whitelisted on the Merchant Panel.
Endpoint domains
Each environment has its own domain. The path of the endpoints do not change.
Environment | Domain |
Staging |
|
Production | Provided once you complete the testing |
Notes:
You will use the STG endpoints to integrate.
The STG and PROD environments are not communicated in any way.
No transaction created on the STG environment will be reflected on the PROD environment or vice versa.
The API Keys and configurations between environments are also different.
In case of seeing the error "Insufficient Funds" on STG, you can create and approve a deposit or reach out to integration@tupaypagos.com to add funds to your account.
API Keys
In order to authenticate, our Cashouts APIs uses API Keys in all of the requests to authenticate. Your API Keys can be retrieved from the Merchant Panel by going to Settings -> API Access -> Cashouts Credentials.
The API Keys between the STG and PROD environments are different.
These are the three credentials you will need:
Your user:
API Key
Your password:
API Passphrase
Your secret key to generate the signatures:
API Signature
Authentication to the API is performed via HTTP Basic Auth. You must provide your API Keys in all requests as the basic auth username and password.
Your user and password keys must be sent in all the API calls using the API Key
and API Passphrase
fields on the body of the request.
Your API Keys, along with your IP Addresses are your way to authenticate yourself, therefore, do not share your credentials in publicly accessible areas such as GitHub, client-side code and so forth.
Headers
All requests sent through Cashouts API must have the following headers.
Header | Format | Mandatory | Description |
Payload-Signature | String | Yes | HMAC256 of the whole JSON Payload using your API Signature |
Content-Type | String | Yes |
|
User-Agent | String | Yes | Server client user agent |
IP Whitelisting
For security purposes, you need to whitelist the IPs from where you will call our API.
In order to whitelist your IPs and make the process as smoother as possible, you should go to Settings -> API Access and add the list of IPs you will possibly use under the Cashouts IP Address section.
Reach out to integration@tupaypagos.com if you need to whitelist our servers IPs on your firewall. Note: We convert all the data we receive to UTF-8. Make sure you are also converting it into UTF-8 to make sure both parties have the same details.
Última actualización