Security & best practices
Follow these practices to keep your API key and integration secure.
API key security
- Server-side only — Call the CardPlusPay API from your backend (e.g. PHP, Node, Python). Never embed the API key in frontend JavaScript, mobile app binaries, or public repositories.
- Store in environment or secrets — Use environment variables (e.g.
CARDPLUSPAY_API_KEY) or a secrets manager. Do not hardcode the key or commit it to version control. - Rotate if compromised — If the key may have been exposed, generate a new key in API Keys in the CardPlusPay Dashboard and update your application; disable or delete the old key.
- Limit access — Restrict who can view or copy API keys in your team. Use separate keys per environment (e.g. production vs test) if you use multiple keys.
HTTPS and requests
- Always use HTTPS — All requests must go to
https://api.cardpluspay.com. Do not send the API key or sensitive data over plain HTTP. - Validate responses — Check
successin the response envelope before trustingdata. Handle errors and timeouts in your code. - Idempotency — For
POST /orders, send a unique, stableIdempotency-Keyper purchase attempt (UUID recommended). Retries with the same key and body replay the original response. Use a new key only when starting a genuinely new purchase. - Purchase request timeout — Set your HTTP client timeout to at least 90 seconds for
POST /orders(180 seconds recommended for some SKUs). If the connection drops before you receive a response, retry with the same idempotency key rather than creating a duplicate order. - Pending orders — HTTP 200 with
status: pendingmeans fulfillment is in progress. PollGET /orders/{id}; do not refund based on elapsed time alone.
Rate limits
If the API enforces rate limits, the response may include relevant headers or a 429 status. Check the API Reference or response headers for rate-limit information. Implement backoff or queuing if you make many requests.
Data handling
- Gift card codes are sensitive. Transmit them only over HTTPS and store them securely. Do not log full codes.
- Buyer account fields (
fieldson direct top-up orders) are personal data. CardPlusPay does not echo them in API responses — store them securely in your application and comply with your privacy policy. - When passing customer email or order data to the API, ensure you comply with your privacy policy and applicable laws.