Resources

Security Best Practices

Protect API keys, verify webhooks, and ensure safe payment integrations.

1. Protect API Keys

Never expose secret keys

Secret keys (sk_) must only be used server-side. Never commit them to version control or expose them in client-side code.

Use environment variables

Store API keys in environment variables or a secrets manager. Use .env files that are gitignored.

Rotate keys periodically

Regenerate your secret key from the dashboard if you suspect a leak. Old keys can be revoked instantly.

2. Verify Webhooks

Always verify webhook signatures using the X-PayNexus-Signature header:

php

$signature = $_SERVER['HTTP_X_PAYNEXUS_SIGNATURE'] ?? '';
$payload = file_get_contents('php://input');

if (!hash_equals(hash_hmac('sha256', $payload, $secret), $signature)) {
    http_response_code(401);
    exit;
}

3. Use HTTPS

All webhook endpoints must use HTTPS in production. Never accept webhooks over unencrypted HTTP.

4. Validate Input

Always validate phone numbers and amounts before initiating payments. Use the /mpesa/validate-phone endpoint to normalize phone numbers.

Rate Limits

Changelog