# Security

KwikPaisa APIs are designed with enterprise-grade security standards to protect merchant transactions, sensitive customer data, and banking workflows.

All API requests are secured using HMAC SHA256 signature authentication, timestamp validation, encrypted communication, and strict request verification mechanisms.

This guide outlines the recommended security practices for securely integrating with KwikPaisa APIs.

***

## API Authentication Security

Every API request must include:

```http
Content-Type: application/json
Accept: application/json
X-API-KEY: pk_test_xxxxxxxxx
X-TIMESTAMP: GENERATED_TIMESTAMP
X-SIGNATURE: GENERATED_SIGNATURE
```

The X-SIGNATURE header is generated using:

```http
HMAC_SHA256(payload + timestamp, secret_key)
```

This helps prevent:

* Unauthorized requests
* Payload tampering
* Replay attacks
* Request forgery

***

## Protect Your Secret Keys

Your `secret_key` is highly sensitive and should always remain confidential.

### Best Practices

* Never expose secret keys in frontend applications
* Never commit credentials to Git repositories
* Store secrets securely using environment variables
* Rotate credentials periodically
* Restrict internal access to production credentials

***

## Always Use HTTPS

All API requests must be sent over secure HTTPS connections.

HTTPS encryption protects:

* API credentials
* Customer information
* Transaction payloads
* Webhook communications

Non-HTTPS requests may be rejected for security reasons.

***

## Timestamp Validation

KwikPaisa validates request timestamps to prevent replay attacks.

### Recommendations

* Generate a fresh timestamp for every request
* Use UNIX timestamp in seconds format
* Synchronize server time using NTP
* Avoid reusing old request payloads

Expired timestamps may result in:

```
401 Unauthorized
```

***

## Signature Verification

Before processing any request, KwikPaisa validates:

* Payload integrity
* Timestamp validity
* Merchant authentication
* Signature authenticity

Any mismatch between:

* Request payload
* Timestamp
* Secret key

will invalidate the request.

***

## Webhook Security

Webhook notifications should always be verified before processing.

### Recommended Validation Steps

1. Validate webhook signature
2. Verify request timestamp
3. Check transaction status using APIs
4. Respond with HTTP 200 quickly

***

## IP Whitelisting

For enhanced security, production merchants may enable IP whitelisting.

This allows API access only from trusted server IP addresses.

### Benefits

* Prevents unauthorized API access
* Adds an additional security layer
* Restricts access to approved infrastructure

***

## Secure Server-Side Integrations

All:

* Signature generation
* Secret key handling
* Transaction validation

must happen only on secure backend servers.

Never generate signatures from:

* Mobile apps
* Frontend JavaScript
* Public client applications

***

## Replay Attack Protection

KwikPaisa uses timestamp validation and request signing to prevent replay attacks.

Replay attacks occur when attackers reuse old valid API requests to trigger duplicate actions.

To prevent this:

* Generate unique timestamps
* Avoid duplicate order IDs
* Validate transaction status before retries

***

## Production Security Checklist

Before going live:

* Use HTTPS only
* Secure all secret keys
* Validate webhook signatures
* Enable IP whitelisting
* Monitor API activity
* Rotate credentials regularly
* Implement proper server-side validation

***

## Recommended Security Workflow

1. Generate timestamp
2. Prepare request payload
3. Generate HMAC SHA256 signature
4. Send secure HTTPS request
5. Validate API response
6. Verify webhook notifications

***

## Common Security Errors

### 401 Unauthorized

Possible reasons:

* Invalid signature
* Expired timestamp
* Incorrect secret key
* Missing authentication headers

***

### Invalid Signature

Usually caused by:

* Modified payload
* Incorrect JSON formatting
* Unsorted payload keys
* Timestamp mismatch

***

## Need Help?

If you experience authentication or security-related issues, contact the KwikPaisa integration support team for assistance with:

* Signature verification
* Webhook validation
* Production onboarding
* IP whitelisting
* Security configuration

```
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developers.kwikpaisa.com/v3-guide/authentication/security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.