Security Best Practices

Essential security guidelines for integrating with Tenzro Platform and protecting your applications.

API Key Security

Storage

  • Never commit API keys to version control
  • Use environment variables or secret management systems
  • Rotate keys regularly (recommended: every 90 days)
  • Use separate keys for development and production

Key Prefixes

PrefixEnvironmentPurpose
tz_live_ProductionReal transactions
tz_test_SandboxTesting only
tz_dev_DevelopmentLocal development

Authentication

Token Handling

  • Store tokens securely (httpOnly cookies or secure storage)
  • Implement token refresh before expiration
  • Clear tokens on logout and session timeout
  • Validate tokens on each request
// Secure token storage example
const storeToken = (token: string) => {
  // Use httpOnly cookie for web applications
  document.cookie = `token=${token}; Secure; HttpOnly; SameSite=Strict`;
};

// Token refresh before expiration
const refreshToken = async () => {
  const response = await fetch('/api/auth/refresh', {
    method: 'POST',
    credentials: 'include'
  });
  return response.json();
};

Webhook Security

Signature Verification

Always verify webhook signatures to ensure requests originate from Tenzro:

import crypto from 'crypto';

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload, 'utf8')
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Webhook Best Practices

  • Use HTTPS endpoints only
  • Verify signatures before processing
  • Implement idempotency (events may be retried)
  • Respond quickly (within 30 seconds)
  • Process events asynchronously

Input Validation

Always validate and sanitize user inputs:

  • Validate addresses are properly formatted
  • Check amounts are within expected ranges
  • Sanitize all string inputs
  • Use parameterized queries for database operations

Rate Limiting

Implement client-side rate limiting to prevent accidental abuse:

class RateLimiter {
  private requests: number[] = [];
  private limit: number;
  private window: number;

  constructor(limit: number, windowMs: number) {
    this.limit = limit;
    this.window = windowMs;
  }

  async throttle(): Promise<void> {
    const now = Date.now();
    this.requests = this.requests.filter(t => t > now - this.window);

    if (this.requests.length >= this.limit) {
      const waitTime = this.requests[0] + this.window - now;
      await new Promise(r => setTimeout(r, waitTime));
    }

    this.requests.push(now);
  }
}

Secure Communication

  • All API requests must use HTTPS
  • TLS 1.2 or higher is required
  • Certificate pinning is recommended for mobile apps
  • Use secure WebSocket (wss://) for real-time connections

Logging and Monitoring

  • Log all authentication attempts
  • Monitor for unusual activity patterns
  • Set up alerts for failed requests
  • Never log sensitive data (tokens, keys, passwords)

Incident Response

If you suspect a security incident:

  1. Immediately rotate all API keys
  2. Review audit logs for unauthorized access
  3. Contact security@tenzro.com
  4. Document the incident timeline