Security
Authentication and security - all automatic, nothing to configure
You do not need to configure anything. The SDK handles authentication and security automatically.
Use Our SDKs
Always use the official Nylon Pay SDK. It handles all security automatically, including request authentication and response verification.
import { createNylonPay } from '@nile-squad/nylonpay-ts';
const nylonPay = createNylonPay({
apiKey: 'your_api_key',
apiSecret: 'your_api_secret',
});API Permissions (Send Only, Receive Only)
You can configure API keys to have limited permissions:
| Permission | What it allows |
|---|---|
| Send only | Can create payments but cannot read status |
| Receive only | Can check status but cannot create payments |
Configure this in Dashboard > API Keys when creating a new key.
Webhooks
Nylon Pay sends webhooks to your server to push transaction status updates.
Always verify webhook signatures to confirm they are from Nylon Pay.
import { verifyWebhookSignature } from '@nile-squad/nylonpay-ts';
const isValid = verifyWebhookSignature({
payload: rawBody,
signature: signatureHeader,
secret: webhookSecret,
});
if (!isValid) {
res.status(401).end();
}verifyWebhookSignature also rejects replays: beyond checking the HMAC, it confirms the signed timestamp inside the body is within a freshness window (default 5 minutes), so a captured webhook can't be re-sent later to re-trigger fulfilment. Tune it with toleranceSeconds, or set toleranceSeconds: 0 to disable (not recommended). See the Webhooks guide.
Polling - Check Transaction Status
Instead of waiting for webhooks, you can actively check transaction status using the SDK:
const result = await nylonPay.getStatus({
reference: crypto.randomUUID(),
});
if (result.isOk) {
console.log(result.value.status);
}See Get Status for details.
IP Whitelisting
Restrict API access to only your server's IP addresses. Requests from any other IP will be rejected.
Configure this in:
Dashboard > API Keys > IP Restriction
For webhooks, you can whitelist Nylon Pay's IP addresses. Contact support for the current IP list.
Data Encryption
All data is encrypted as it moves between your server and Nylon Pay.
No configuration needed. This happens automatically.
Server Access Control
Only your server can talk to Nylon Pay.
Your API keys authenticate every request. Without valid keys, no one can access your account or send requests on your behalf.
Transaction Verification
Suspicious transactions can be blocked and held for review before processing.
You can configure this in your dashboard to:
- Flag large transactions for manual review
- Block transactions from certain regions
- Require verification before completing a payment
What the SDK Handles Automatically
The SDK handles request signing and response verification automatically. You do not need to implement any security logic yourself. Just initialize the SDK with your API keys.
Dashboard Security Features
| Feature | What it does | Where to configure |
|---|---|---|
| IP whitelisting | Restrict API access to specific IPs | Dashboard > API Keys |
| Rate limiting | Limit requests per minute/day | Dashboard > API Keys |
| API key scopes | Limit what a key can do (send only / receive only) | Dashboard > API Keys |
| Transaction blocking | Block suspicious transactions for review | Dashboard > Settings |
See Also
- Webhooks guide - signature verification details
- Get Status - polling transaction status
- Error Handling - handle errors gracefully