Security Controls
In this guide, we describe the security and safety controls applied when creating payouts with the Fintoc Transfers API. These controls help ensure that only authorized parties can initiate money movements, that requests cannot be altered in transit, and that payout activity can be reviewed and audited.
1. Authenticate all API requests with API keys
Every request to the Fintoc API must include an API key.
- API keys are unique per organization.
- The key is shown only once at creation time in the Fintoc Dashboard.
- You must store the key securely.
- If a key is lost or compromised, rotate or revoke it immediately from the Dashboard.
API keys identify the calling organization and prevent unauthorized access to the API.
2. Sign all money movement requests with JWS
Requests that move money, such as creating outbound transfers, require an additional security layer using JSON Web Signatures (JWS).
Each payout request is signed using:
- A private JWS key, stored securely on your side
- A public JWS key, registered in the Fintoc Dashboard
The JWS keys are static, but each signature is unique and time-bound. This is achieved by including:
- A nonce, which makes each signature single-use
- A timestamp, which limits how long the request is valid
The JWS signature:
- Protects the integrity of the request payload
- Confirms the authenticity of the sender
- Prevents replay attacks
Fintoc automatically rejects requests that are unsigned, expired, duplicated, or modified.
3. Restrict API access with IP allowlisting (optional)
You can configure an IP allowlist in the Fintoc Dashboard to control where API requests can originate from.
When IP allowlisting is enabled:
- Requests are accepted only from approved IP addresses
- Requests from other locations are blocked, even if the API key is valid
This control reduces risk if credentials are leaked and enforces infrastructure-level access restrictions.
4. Verify webhook signatures
Fintoc signs all webhook events before sending them to your systems.
You should always verify webhook signatures before processing an event. This allows you to:
- Confirm the event was sent by Fintoc
- Detect payload tampering
- Discard forged or replayed webhook requests
Verifying webhook signatures ensures that downstream systems react only to trusted events.
5. Prevent duplicate payouts with idempotency
To avoid accidental duplicate payouts, Fintoc supports idempotency mechanisms when creating payouts.
When idempotency is used:
- Retried requests do not create duplicate transfers
- Network timeouts and client retries can be handled safely
Idempotency improves operational safety and reliability, especially in failure or retry scenarios.
6. Audit API usage
All interactions with the Fintoc API are traceable and auditable.
This includes:
- API key–based identification of the calling organization
- Timestamped requests for sensitive operations
- Logged transfer creation and state changes
These records help you:
- Monitor and review payout activity
- Support internal audits and compliance processes
- Investigate incidents or unexpected behavior
🛡️ Controls summary
| Control | Risk mitigated |
| API key authentication | Unauthorized API access |
| JWS-signed payout requests | Payload tampering, request forgery, replay attacks |
| IP allowlisting | Credential leakage, unauthorized infrastructure access |
| Webhook signature verification | Forged or manipulated webhook events |
| Idempotent payout creation | Duplicate payouts caused by retries or network failures |
| Auditable API activity | Undetected misuse, limited traceability, audit gaps |
Together, these controls provide a defense-in-depth approach that combines authentication, integrity, operational safety, and auditability for payouts created through the Fintoc API.
Updated 1 day ago