Financbase Logo

Integration Security

Secure your integrations with best practices

API Key Management

API keys are the primary method of authentication for integrations. Follow these practices to keep them secure.

Best Practices:

  • Never commit API keys to version control
  • Use environment variables or secure secret management
  • Rotate keys regularly (every 90 days recommended)
  • Use separate keys for development and production
  • Revoke keys immediately if compromised
  • Limit key permissions to only what's needed

HTTPS & TLS

Always use HTTPS when making API requests. Financbase requires TLS 1.3 for all connections and will reject insecure requests.

✅ https://api.financbase.com❌ http://api.financbase.com

Certificate Validation:

Always verify SSL certificates. Never disable certificate validation, even in development. Use proper certificate pinning in mobile applications.

Webhook Security

Webhooks must be secured to prevent unauthorized access. Always verify webhook signatures before processing events.

Security Checklist:

  • Verify webhook signatures using the secret key
  • Use HTTPS endpoints only
  • Implement idempotency to handle duplicate events
  • Set up rate limiting on webhook endpoints
  • Log all webhook events for audit purposes
  • Validate event data before processing

Common Security Mistakes

Avoid these common security pitfalls when building integrations:

❌ Exposing API Keys in Client-Side Code

Never include API keys in JavaScript, mobile apps, or any client-side code. Use server-side proxies or OAuth instead.

❌ Ignoring Webhook Signatures

Always verify webhook signatures. Without verification, attackers could send fake events to your endpoint.

❌ Using HTTP Instead of HTTPS

All API requests must use HTTPS. HTTP connections are not encrypted and expose your credentials and data.

Security Checklist

Use this checklist to ensure your integration is secure:

  • API keys stored securely (not in code)
  • All requests use HTTPS
  • Webhook signatures verified
  • Rate limiting implemented
  • Error handling doesn't expose sensitive data
  • Input validation on all user data