Security Controls
Fintoc applies six security controls when you create payouts with the Transfers API.
These controls restrict money movement to authorized parties, protect requests from tampering in transit, and let you review and audit payout activity.
1. Authenticate all API requests with API keys
Every request to the Fintoc API must include an API key. Fintoc API keys have these properties:
- Each API key is unique per organization.
- The Fintoc Dashboard shows the key only once, at creation time.
- You must store the key securely.
- If a key is lost or compromised, rotate or revoke it immediately from the Fintoc Dashboard.
API keys identify the calling organization and prevent unauthorized access to the API.
2. Sign all money movement requests with JWS
Requests that move money, such as creating outbound transfers, require an additional security layer using a JSON Web Signature (JWS).
You sign each payout request with:
- A private JWS key, stored securely on your side.
- A public JWS key, registered in the Fintoc Dashboard.
The JWS keys are static, but each signature is unique and time-bound. Each signature includes:
- A
nonce, which makes each signature single-use. - A
tstimestamp, which limits how long the request is valid.
The JWS signature:
- Protects the integrity of the request payload.
- Confirms the authenticity of the sender.
- Prevents replay attacks.
Fintoc automatically rejects requests that are unsigned, expired, duplicated, or modified.
3. Restrict API access with IP allowlisting (optional)
You can configure an IP allowlist in the Fintoc Dashboard to control where API requests can originate from.
When IP allowlisting is enabled:
- Requests are accepted only from approved IP addresses.
- Requests from other locations are blocked, even if the API key is valid.
This control reduces risk if credentials are leaked and enforces infrastructure-level access restrictions.
4. Verify webhook signatures
Fintoc signs all webhook events before sending them to your systems.
Always verify webhook signatures before processing an event. Verifying the signature lets you:
- Confirm the event was sent by Fintoc.
- Detect payload tampering.
- Discard forged or replayed webhook requests.
Verifying webhook signatures ensures that downstream systems react only to trusted events.
5. Prevent duplicate payouts with idempotency
To avoid accidental duplicate payouts, Fintoc supports idempotency keys when creating payouts.
When you send an idempotency key:
- Retried requests do not create duplicate transfers.
- Network timeouts and client retries can be handled safely.
When you retry a request with the same idempotency key, Fintoc returns the original payout instead of creating a second one.
6. Audit API usage
All interactions with the Fintoc API are traceable and auditable.
This includes:
- API-key-based identification of the calling organization.
- Timestamped requests for sensitive operations.
- Logged transfer creation and state changes.
These records help you:
- Monitor and review payout activity.
- Support internal audits and compliance processes.
- Investigate incidents or unexpected behavior.
Controls summary
The following table maps each control to the risk it mitigates:
| Control | Risk mitigated |
| API key authentication | Unauthorized API access |
| JWS-signed payout requests | Payload tampering, request forgery, replay attacks |
| IP allowlisting | Credential leakage, unauthorized infrastructure access |
| Webhook signature verification | Forged or manipulated webhook events |
| Idempotent payout creation | Duplicate payouts caused by retries or network failures |
| Auditable API activity | Undetected misuse, limited traceability, audit gaps |
Together, these controls cover authentication, request integrity, retry safety, and auditability for payouts created through the Fintoc API.