Security First Design
Built from the ground up with security as a core principle. Non-custodial architecture means we never hold your funds.
Non-Custodial by Design
The most secure funds are the ones we never touch. Our non-custodial architecture means payments go directly from your customers to your wallets.
No Private Keys Stored
We never have access to your wallet private keys. You maintain complete control of your funds at all times.
Direct to Your Wallet
Customer payments go directly to the wallet address you provide. No intermediate holding accounts.
No Withdrawal Process
Since funds go straight to your wallet, there's no withdrawal delay or approval process.
Zero Counterparty Risk
Even if our service went offline, your funds are already in your wallet. Nothing is held by us.
Payment Flow
Security Features
Multiple layers of security protect your integration.
64-Character API Keys
Cryptographically secure random API keys with 256 bits of entropy. Shown only once at registration.
a1b2c3d4e5f6...64 characters
HMAC-SHA256 Webhooks
Every webhook is signed with your unique secret. Verify signatures to ensure webhooks are authentic.
X-Webhook-Signature: sha256=...
bcrypt Password Hashing
Passwords are hashed using bcrypt with appropriate cost factor. Plain-text passwords are never stored.
bcrypt(password, saltRounds=10)
httpOnly JWT Cookies
Dashboard sessions use httpOnly cookies to prevent XSS attacks from stealing authentication tokens.
Set-Cookie: jwt=...; HttpOnly; Secure
Strict Input Validation
All API inputs are validated using class-validator decorators. Invalid data is rejected before processing.
@IsEmail(), @IsUUID(), @Max(4)
SQL Injection Prevention
TypeORM uses parameterized queries throughout. No raw SQL concatenation with user input.
WHERE id = $1 (parameterized)
Blockchain Verification
Payments are verified on-chain with appropriate confirmation thresholds.
Tron Network
20
confirmations required
~60 seconds typical
Ethereum Network
12
confirmations required
~3 minutes typical
BSC Network
15
confirmations required
~45 seconds typical
Why Confirmations Matter
Confirmation requirements protect against double-spend attacks and chain reorganizations. We wait for sufficient confirmations before considering a payment final and triggering your webhook. This threshold balances security with reasonable confirmation times.
Data Protection
We collect minimal data and protect what we store.
Minimal Data Collection
We only store what's necessary: email, hashed password, wallet addresses, and invoice records.
No Payment Card Data
Since payments are in USDT, we never handle credit card numbers or bank account details.
Encrypted at Rest
Database encryption protects stored data. API keys are hashed after initial display.
TLS in Transit
All API communication uses HTTPS/TLS encryption. HTTP requests are redirected to HTTPS.
What We Store
Security Best Practices
Recommendations for securing your integration.
Always Verify Webhook Signatures
Before processing any webhook, verify the HMAC signature matches. Reject requests with invalid or missing signatures.
Store API Keys Securely
Never commit API keys to version control. Use environment variables or a secrets manager. Rotate keys if compromised.
Use HTTPS for Webhooks
Your webhook endpoint should use HTTPS with a valid certificate. We won't send webhooks to insecure HTTP endpoints in production.
Implement Idempotency
Your webhook handler should be idempotent. We may retry failed webhooks, so ensure processing the same webhook twice doesn't cause issues.
Monitor Your Wallets
Set up blockchain alerts for your wallet addresses. While our system notifies you of matched payments, independent monitoring adds a security layer.
Use Hardware Wallets
For large volumes, consider using hardware wallet addresses. Since we're non-custodial, your security practices for wallet management directly affect fund safety.
Responsible Disclosure
Found a security vulnerability? We appreciate responsible disclosure. Please report security issues to our security team rather than public issue trackers.
security@example.comSecure Payments Start Here
Create your account and start accepting non-custodial USDT payments.