API Security at Hello Clever
At Hello Clever, we prioritise the security of our API to ensure that every interaction is protected from unauthorised access and data breaches. Our API security practices include secure authentication, encrypted data transmission, rate limiting, and other key measures to ensure that data remains safe and that your integration is reliable and secure. Whether you’re processing transactions or accessing account data, Hello Clever’s API security framework keeps your data protected.
Here’s an overview of how we maintain API security and the best practices to follow when using Hello Clever’s API.
Secure Authentication and Access Control
To ensure that only authorised users have access to the API, Hello Clever requires secure API authentication. This process validates each API request, ensuring that only verified applications can access the data and services.
- API Keys and Secret Keys: Each API client is provided with a unique API key and secret key, which are used to authenticate requests securely. Only authorised applications should have access to these keys, and they should be stored securely.
- Access Control: Access to sensitive endpoints and data is restricted based on permissions associated with each API key, ensuring that applications only have access to the resources they need.
- Token-Based Authentication: For enhanced security, Hello Clever’s API uses token-based authentication, which adds an extra layer of protection and reduces the risk of unauthorised access.
By implementing secure API authentication, Hello Clever ensures that all API requests are verified and that sensitive data remains protected.
HTTPS and Data Encryption
Hello Clever’s API uses HTTPS to secure all data transmissions between your application and our servers. HTTPS encryption helps protect sensitive information, such as account details and transaction data, from being intercepted by unauthorised parties.
- SSL/TLS Encryption: All data transmitted through the API is encrypted using SSL/TLS, ensuring that data remains confidential during transmission.
- Protection Against Man-in-the-Middle Attacks: HTTPS encryption prevents unauthorised parties from intercepting or tampering with data, securing communication channels between applications and Hello Clever’s servers.
Using HTTPS for all API requests ensures that data remains private and secure, protecting sensitive information from external threats.
Rate Limiting and Throttling
To maintain the reliability and security of our API, Hello Clever implements rate limiting and throttling. Rate limiting controls the number of requests each client can make within a specific time period, helping to prevent abuse and reduce the risk of DDoS attacks.
- Request Limits: Each API client is assigned a maximum number of requests per minute, based on usage patterns. Exceeding this limit results in temporary throttling to maintain API stability.
- Automatic Throttling: If a client exceeds the allowed rate limit, Hello Clever’s API automatically throttles further requests, ensuring that high traffic from one client does not impact other users.
- Protection Against DDoS Attacks: By controlling the flow of API requests, rate limiting helps protect the API from potential Distributed Denial-of-Service (DDoS) attacks, preserving access for all users.
Rate limiting and throttling ensure that Hello Clever’s API remains responsive and reliable for all clients, even during high-demand periods.
Secure Server-to-Server Communication
Hello Clever’s API supports secure server-to-server communication to protect data when integrating with other systems. By using secure connections and protected API keys, our API ensures that data is transmitted safely between servers.
- Protected API Keys: Each API key should be stored securely and only used by authorised servers to prevent unauthorised access to API endpoints.
- Encrypted Transmission: All server-to-server communications are encrypted, preventing sensitive data from being accessed by unauthorised parties during transmission.
- IP Whitelisting: To further protect sensitive endpoints, IP whitelisting can be implemented for specific API keys, restricting access to only pre-approved servers.
Server-to-server communication with protected keys ensures that your integration with Hello Clever’s API remains secure and resilient against unauthorised access.
Merchant Dashboard Security: Protecting Your API Keys
Hello Clever’s Merchant Dashboard offers tools and security features to help you manage and protect your API keys. Through role-based access and multi-factor authentication (MFA), the Merchant Dashboard ensures that only authorised personnel can access sensitive information, reducing the risk of unauthorised use of API keys.
- Multi-Factor Authentication (MFA): To access the Merchant Dashboard, users are required to complete an MFA process, adding an extra layer of security that protects your API keys from unauthorised access.
- Role-Based Access Control: The Merchant Dashboard supports role-based access control, allowing administrators to assign specific roles and permissions to team members. This ensures that only users with the necessary permissions can access or manage API keys.
- Key Management and Rotation: The dashboard allows you to generate, rotate, and revoke API keys, giving you control over who can access and use your keys. Regular key rotation adds an extra layer of security, reducing the risk of key compromise.
By offering these security features, the Merchant Dashboard enables you to maintain full control over your API keys and prevent unauthorised access to sensitive data.
Data Privacy and Compliance
Hello Clever follows strict data privacy and compliance standards, ensuring that any data processed through our API meets industry regulations for data protection. Our API adheres to the latest data privacy laws, including GDPR and CCPA, to protect customer information.
- Data Minimisation: We only collect and store the data necessary for API functions, reducing exposure to data breaches.
- Access Controls: Access to sensitive data through the API is restricted to authorised clients, with permissions assigned to each API key.
- Audit Logs: For compliance purposes, Hello Clever maintains audit logs of API requests, ensuring that data access is tracked and monitored as part of our security framework.
These data privacy practices ensure that data processed through the API is handled responsibly and in compliance with industry standards.
Best Practices for Using Hello Clever’s API Securely
To help you use Hello Clever’s API securely, here are some best practices to follow:
- Store API Keys Securely: Keep your API keys and secret keys in a secure environment, and avoid sharing them in public code repositories.
- Rotate API Keys Regularly: To enhance security, rotate your API keys periodically and revoke access for keys that are no longer in use.
- Use HTTPS for All Requests: Always ensure that your application communicates with Hello Clever’s API over HTTPS to protect sensitive data in transit.
- Monitor API Usage: Regularly monitor your API usage to detect any unusual patterns, which may indicate unauthorised access.
- Limit Access to Sensitive Endpoints: Only request access to the endpoints and data necessary for your application’s functionality, minimising exposure to sensitive information.
By following these best practices, you can help maintain a secure integration with Hello Clever’s API, protecting your application and customer data.
With Hello Clever’s secure API, you can integrate payment solutions confidently, knowing that each request is protected by multiple layers of security. To get started, visit our API Reference for detailed information on how to securely implement Hello Clever’s API in your application. For questions or additional support, reach out to our support team, who are here to help you make the most of our secure API services.