zendit Security

Security Overview

When using zendit, security measures are in place to protect your account and ensure the accuracy of billing. Here are some important points to keep in mind regarding API keys and account security:

1. API Keys: Every zendit account is assigned an API key for the test environment. This key must be included in the Authentication header of API requests made during testing. Once your account is upgraded to the production environment, you will receive a separate production API key to access the API in your live environment.
2. Test Mode and Production Mode: Use the test mode API key for testing and the production API key for your live production environment. Keep these keys separate and use them accordingly.
3. Key Confidentiality: It is essential to keep your API key confidential and not share it outside your organization. Zendit support will never ask you for your API key. When contacting support, your email address will be used to identify your account.
4. Suspected Compromise: If you suspect that your account has been compromised or your API key has been exposed, it is important to take immediate action. Contact us to report the issue and request a new API key. As a temporary measure, you can also disable all products in your catalog.
5. Account Security: In addition to API key security, it is crucial to implement other security measures on your end. This includes using strong passwords, enabling two-factor authentication if available, and restricting access to your zendit account within your organization.
6. Future Enhancements: Zendit is continuously improving its product, and in the future, users will have the ability to generate new API keys directly within the Zendit console, providing you with more control and flexibility over your account security.

By following these guidelines and maintaining the security of your API keys, you can help ensure the integrity and protection of your zendit account and transactions.

Multifactor Authentication

When creating an account with zendit and operating in test mode, enabling multifactor authentication is optional but highly recommended for added security. It helps safeguard your account and provides an extra layer of protection against unauthorized access.

However, when you upgrade your account to production mode, using multifactor authentication becomes mandatory. This is a crucial security measure to prevent potential account takeovers, especially when real money is involved in your wallet. We prioritize the safety of our users and their funds, and enforcing multifactor authentication is an essential step in achieving that.

In production mode, you are required to set up multifactor authentication with at least one factor being a phone number capable of receiving SMS messages containing authentication tokens. This ensures that only authorized individuals with access to the associated phone number can authenticate and access your zendit account.

Furthermore, each zendit account must have a unique phone number assigned for multifactor authentication. This means that once a phone number is linked to an account, it cannot be used for authentication on any other zendit account. This restriction helps maintain the integrity of each user’s account and prevents potential security breaches.

By implementing multifactor authentication with a unique phone number, you enhance the security of your zendit account and minimize the risk of unauthorized access and fraudulent activities.

IP Whitelisting

Zendit provides the option to enhance the security of your environment by setting up IP whitelists. This feature allows you to specify trusted IP addresses that are granted access to your zendit account. Here are some important details regarding IP whitelists:

1. Purpose: IP whitelists add an extra layer of security by restricting access to your Zendit account only from specified IP addresses. This helps prevent unauthorized access and potential security breaches.
2. Test Mode and Production Environment: You have the ability to set up IP whitelists for both your test mode and production environments. It is strongly recommended to configure IP whitelists for your production environment before upgrading your account to the production stage.
3. Accessing API Settings: To configure IP whitelists, navigate to the API settings section of the user console. This is where you can manage your whitelist entries.
4. Multiple Whitelist Entries: You can create multiple whitelist entries for each environment. This allows you to define different sets of trusted IP addresses depending on your specific requirements.
5. Maximum IP Rules: Each whitelist entry can contain up to 20 IP rules. This gives you the flexibility to specify a range of IP addresses or individual addresses that are allowed to access your zendit account.

By setting up IP whitelists through the user console, you can strengthen the security of your zendit environment and ensure that only authorized IP addresses have access to your account.

IP Rules

When setting up a whitelist in zendit, you have the flexibility to enter individual IP addresses or define a range of sequential IP addresses. Here’s how you can specify IP addresses in the whitelist:

1. Individual IP Addresses: Enter one IP address per line in the whitelist. Each line should contain a single IP address that you want to grant access to the selected API environment.
2. Range of Sequential IP Addresses: To define a range of sequential IP addresses, use the format “start IP address ~ end IP address”. For example, if you want to allow access for IP addresses ranging from 62.159.33.1 to 62.159.33.100, you would enter “62.159.33.1 ~ 62.159.33.100” in the whitelist. This notation indicates that all addresses between the specified start and end IP addresses are permitted to access the API for the selected environment.

By utilizing this format, you can easily configure your IP whitelist to include specific IP addresses or define broader ranges for access control.

Setting Up IP Whitelists

To configure an IP whitelist in zendit, follow these steps:

1. Open the zendit console and go to the API settings page.
2. Scroll down to the IP whitelisting section.
3. Click on “Add New IP” to create a new IP whitelist.
4. A pop-up window will appear where you can provide a friendly name for the whitelist.
5. Select the desired environment: either production or sandbox (test mode).
6. Enter the list of IP addresses or IP address ranges that you want to add to the whitelist. You can enter up to 20 IP addresses or ranges.
7. If needed, you can set up multiple IP whitelists for each environment by repeating the process.

By setting up IP whitelists, you can control which IP addresses have access to the zendit API in each environment, enhancing the security of your integration.

Once you have confirmed your whitelist settings, the specified IP addresses or IP address ranges will be added to your IP whitelists. These whitelists will determine which IP addresses are allowed to access the zendit API in the designated environment (production or sandbox/test mode). By adding the desired IP addresses to your whitelists, you ensure that only authorized sources can interact with the zendit API, strengthening the security of your integration.

For optimal security, we highly recommend adding IP whitelists for both your test environment and production environment in zendit. While it may require some additional effort during development and testing, implementing IP whitelists adds an extra layer of protection to your integration.

By whitelisting specific IP addresses or ranges, you ensure that only authorized sources can access your zendit account and perform transactions. This helps prevent unauthorized access, potential data breaches, and the risk of fraudulent activities.

Even in a test environment, it’s crucial to protect your zendit account and data from any unauthorized usage or potential vulnerabilities. Adding IP whitelists to your test environment can help mitigate the risk of token compromises or unauthorized transactions, allowing you to focus on accurate testing and development.

Remember, a proactive approach to security can save you from unexpected issues and ensure the smooth operation of your integration.