Skip to main content

Securing Your Integration

Security best practices for integrating with the Anton Payments API, including HTTPS, IP allowlisting, webhook verification, and least privilege.

Written by Ryan O
Updated today

Overview

A secure integration protects your business, your recipients, and the funds flowing through your account. This article covers the key security practices you should implement when building against the Anton API.

HTTPS Everywhere

All communication with the Anton API must use HTTPS (TLS 1.2 or higher). The API rejects non-TLS connections entirely. Ensure that:

  • Your API client is configured to use https:// URLs

  • Your webhook receiver endpoint uses HTTPS with a valid, non-expired TLS certificate

  • You do not disable certificate verification in your HTTP client, even in development

Webhook Signature Verification

Every webhook delivery from Anton includes an Anton-Signature header containing an HMAC-SHA256 signature. You must verify this signature on every incoming webhook before processing the event. This confirms the request genuinely came from Anton and has not been tampered with.

Key points:

  • Use constant-time comparison functions to prevent timing attacks

  • Verify against the raw request body (not a re-serialized version)

  • Enforce timestamp checks -- reject events older than 5 minutes to prevent replay attacks

  • Never process a webhook payload without successful signature verification

See the Verifying Webhook Signatures article for detailed code examples.

Server-Side Only

API keys must only be used from your backend servers. Never include them in:

  • Browser JavaScript or frontend code

  • Mobile applications

  • Client-side configuration files

  • Public repositories or documentation

Client-side code can always be inspected by end users. Any API key embedded in client code is effectively public.

Least Privilege

Apply the principle of least privilege throughout your integration:

  • Only request the API access your application actually needs

  • Use separate API keys for different services or environments

  • Restrict webhook subscriptions to only the event types your system processes

  • Limit which team members have access to API keys and the merchant portal

IP Allowlisting

For additional security, you can configure your firewall or reverse proxy to only accept webhook deliveries from Anton's IP ranges. Contact your account manager for the current list of Anton's egress IP addresses. This adds a network-level verification layer on top of signature verification.

Secure Error Handling

When your integration encounters errors:

  • Do not expose internal error details or stack traces to end users

  • Do not log sensitive data (API keys, bank account numbers, PII) in error messages

  • Sanitize any error information before displaying it or sending it to external monitoring services

Dependency Management

  • Pin all dependency versions -- do not use floating or wildcard version ranges

  • Regularly update dependencies to patch known vulnerabilities

  • Use a vulnerability scanner (e.g., Dependabot, Snyk) to monitor for security issues in your dependency tree

Monitoring and Alerting

Set up monitoring for your integration:

  • API error rates -- Track 4xx and 5xx response rates. A sudden increase could indicate a problem.

  • Webhook delivery failures -- Alert when deliveries fail so you can investigate and recover missed events.

  • Authentication failures -- Monitor for 401 responses, which could indicate a revoked or compromised key.

  • Unusual activity -- Watch for unexpected patterns in payout creation, amounts, or destinations.

Did this answer your question?