Security & Compliance

Institutional-grade settlement infrastructure with robust security at every layer.

Security Philosophy

PayDirect is built with security as a foundational principle, not an afterthought. Every payment flows through multiple verification layers — from API authentication through on-chain settlement confirmation.

Our infrastructure is designed for institutional use cases where auditability, transparency, and cryptographic integrity are non-negotiable requirements.

Security Features

API Key Authentication

Every API request requires a Bearer token. Keys are generated per-environment (sandbox/production) with configurable permissions and expiration.

Signature Validation

EIP-712 signature verification for on-chain payment intents. Ensures that payment requests have not been tampered with and originate from authorized signers.

Webhook Signature Verification

Every webhook payload includes a cryptographic signature. Verify it server-side to ensure the event originated from PayDirect and was not modified in transit.

On-Chain Settlement Confirmation

Payment completions are verified against blockchain state. No off-chain assumptions — every settlement is confirmed with on-chain transaction evidence.

Full Auditability

Complete audit trails for every payment — from creation through settlement. Every state transition is logged with timestamps and actor identifiers.

Idempotency Protection

Idempotency key support prevents duplicate settlements. Safely retry API calls without risk of double-charging or duplicate transactions.

Rate Limiting

Built-in rate limiting protects against abuse and ensures fair access. Configurable limits per API key with clear error responses when exceeded.

Transparent Pricing

No hidden fees. Settlement costs and platform fees are clearly documented and included in payment receipts for full financial transparency.

Webhook Verification Example

verify-webhook.ts

import crypto from "crypto";

function verifyWebhookSignature(
  payload: string,
  signature: string,
  secret: string
): boolean {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(payload)
    .digest("hex");

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

// In your webhook handler:
app.post("/webhooks/paydirect", (req, res) => {
  const signature = req.headers["x-paydirect-signature"];
  const isValid = verifyWebhookSignature(
    JSON.stringify(req.body),
    signature,
    process.env.WEBHOOK_SECRET
  );

  if (!isValid) {
    return res.status(401).json({ error: "Invalid signature" });
  }

  // Process the verified event
  handlePaymentEvent(req.body);
  res.json({ received: true });
});

Compliance Notes

Data Handling

PayDirect processes payment metadata but does not store sensitive financial credentials. API keys are hashed at rest. Payment data is encrypted in transit via TLS 1.3.

Blockchain Settlement

All settlements are verifiable on their respective blockchains. Transaction hashes and receipts are provided for every completed payment, enabling independent verification.

Regulatory Awareness

PayDirect is designed as settlement infrastructure. Compliance with local financial regulations is the responsibility of integrating parties. We provide the tools and data needed for regulatory reporting.

Questions About Security?

Review our developer documentation for detailed implementation guidance, or contact us for enterprise security discussions.

Security Documentation Contact Us