Security & best practices

Follow these practices to keep your API key and integration secure.

API key security

  • Server-side only — Call the CardPlusPay API from your backend (e.g. PHP, Node, Python). Never embed the API key in frontend JavaScript, mobile app binaries, or public repositories.
  • Store in environment or secrets — Use environment variables (e.g. CARDPLUSPAY_API_KEY) or a secrets manager. Do not hardcode the key or commit it to version control.
  • Rotate if compromised — If the key may have been exposed, generate a new key in API Keys in the CardPlusPay Dashboard and update your application; disable or delete the old key.
  • Limit access — Restrict who can view or copy API keys in your team. Use separate keys per environment (e.g. production vs test) if you use multiple keys.

HTTPS and requests

  • Always use HTTPS — All requests must go to https://api.cardpluspay.com. Do not send the API key or sensitive data over plain HTTP.
  • Validate responses — Check success in the response envelope before trusting data. Handle errors and timeouts in your code.
  • Idempotency — For POST /orders, send a unique, stable Idempotency-Key per purchase attempt (UUID recommended). Retries with the same key and body replay the original response. Use a new key only when starting a genuinely new purchase.
  • Purchase request timeout — Set your HTTP client timeout to at least 90 seconds for POST /orders (180 seconds recommended for some SKUs). If the connection drops before you receive a response, retry with the same idempotency key rather than creating a duplicate order.
  • Pending orders — HTTP 200 with status: pending means fulfillment is in progress. Poll GET /orders/{id}; do not refund based on elapsed time alone.

Rate limits

If the API enforces rate limits, the response may include relevant headers or a 429 status. Check the API Reference or response headers for rate-limit information. Implement backoff or queuing if you make many requests.

Data handling

  • Gift card codes are sensitive. Transmit them only over HTTPS and store them securely. Do not log full codes.
  • Buyer account fields (fields on direct top-up orders) are personal data. CardPlusPay does not echo them in API responses — store them securely in your application and comply with your privacy policy.
  • When passing customer email or order data to the API, ensure you comply with your privacy policy and applicable laws.

← SDK · Integration Guide · Troubleshooting →