Security & best practices

Follow these practices to keep your API key and integration secure.

API key security

• Server-side only — Call the CardPlusPay API from your backend (e.g. PHP, Node, Python). Never embed the API key in frontend JavaScript, mobile app binaries, or public repositories.
• Store in environment or secrets — Use environment variables (e.g. CARDPLUSPAY_API_KEY) or a secrets manager. Do not hardcode the key or commit it to version control.
• Rotate if compromised — If the key may have been exposed, generate a new key in API Keys in the CardPlusPay Dashboard and update your application; disable or delete the old key.
• Limit access — Restrict who can view or copy API keys in your team. Use separate keys per environment (e.g. production vs test) if you use multiple keys.

HTTPS and requests

• Always use HTTPS — All requests must go to https://api.cardpluspay.com. Do not send the API key or sensitive data over plain HTTP.
• Validate responses — Check success in the response envelope before trusting data. Handle errors and timeouts in your code.
• Idempotency — If you retry POST requests (e.g. create order), be aware that each call may create a new order unless the API supports idempotency keys. Implement retry logic carefully.

Rate limits

If the API enforces rate limits, the response may include relevant headers or a 429 status. Check the API Reference or response headers for rate-limit information. Implement backoff or queuing if you make many requests.

Data handling

• Gift card codes are sensitive. Transmit them only over HTTPS and store them securely. Do not log full codes.
• When passing customer email or order data to the API, ensure you comply with your privacy policy and applicable laws.

← SDK · Integration Guide · Troubleshooting →