Nylon PayNylon Pay

Security

Authentication and security - all automatic, nothing to configure

You do not need to configure anything. The SDK handles authentication and security automatically.


Use Our SDKs

Always use the official Nylon Pay SDK. It handles all security automatically, including request authentication and response verification.

import { createNylonPay } from '@nile-squad/nylonpay-ts';

const nylonPay = createNylonPay({
  apiKey: 'your_api_key',
  apiSecret: 'your_api_secret',
});

API Permissions (Send Only, Receive Only)

You can configure API keys to have limited permissions:

PermissionWhat it allows
Send onlyCan create payments but cannot read status
Receive onlyCan check status but cannot create payments

Configure this in Dashboard > API Keys when creating a new key.


Webhooks

Nylon Pay sends webhooks to your server to push transaction status updates.

Always verify webhook signatures to confirm they are from Nylon Pay.

import { verifyWebhookSignature } from '@nile-squad/nylonpay-ts';

const isValid = verifyWebhookSignature({
  payload: rawBody,
  signature: signatureHeader,
  secret: webhookSecret,
});

if (!isValid) {
  res.status(401).end();
}

verifyWebhookSignature also rejects replays: beyond checking the HMAC, it confirms the signed timestamp inside the body is within a freshness window (default 5 minutes), so a captured webhook can't be re-sent later to re-trigger fulfilment. Tune it with toleranceSeconds, or set toleranceSeconds: 0 to disable (not recommended). See the Webhooks guide.


Polling - Check Transaction Status

Instead of waiting for webhooks, you can actively check transaction status using the SDK:

const result = await nylonPay.getStatus({
  reference: crypto.randomUUID(),
});

if (result.isOk) {
  console.log(result.value.status);
}

See Get Status for details.


IP Whitelisting

Restrict API access to only your server's IP addresses. Requests from any other IP will be rejected.

Configure this in:

Dashboard > API Keys > IP Restriction

For webhooks, you can whitelist Nylon Pay's IP addresses. Contact support for the current IP list.


Data Encryption

All data is encrypted as it moves between your server and Nylon Pay.

No configuration needed. This happens automatically.


Server Access Control

Only your server can talk to Nylon Pay.

Your API keys authenticate every request. Without valid keys, no one can access your account or send requests on your behalf.


Transaction Verification

Suspicious transactions can be blocked and held for review before processing.

You can configure this in your dashboard to:

  • Flag large transactions for manual review
  • Block transactions from certain regions
  • Require verification before completing a payment

What the SDK Handles Automatically

The SDK handles request signing and response verification automatically. You do not need to implement any security logic yourself. Just initialize the SDK with your API keys.


Dashboard Security Features

FeatureWhat it doesWhere to configure
IP whitelistingRestrict API access to specific IPsDashboard > API Keys
Rate limitingLimit requests per minute/dayDashboard > API Keys
API key scopesLimit what a key can do (send only / receive only)Dashboard > API Keys
Transaction blockingBlock suspicious transactions for reviewDashboard > Settings

See Also

  • Webhooks guide - signature verification details
  • Get Status - polling transaction status
  • Error Handling - handle errors gracefully

On this page