zendit developers Logo
Search zendit documentation

zendit Security

The security features of Zendit are designed to ensure the protection and confidentiality of your data and transactions. This document will guide you through the various security measures and best practices to effectively utilize these features.

Zendit security features, API Key, IP Whitelisting, Catalog security and ShieldWall

Security Overview

When using zendit, there are a variety of security measures available. The more security features an account has enabled, the more secure the account will be. The features start with an API Key as the most basic level of security. By following these guidelines you can maintain the security of your account and help protect against fraudulent activity.


Every zendit account is assigned an API key for the test environment.

👋 This key must be included in the Authentication header of API requests made during testing.

Once your account is upgraded to the production environment, you will receive a separate production API key to access the API in your live environment.

API Keys are mandatory for accessing the API and are available in the zendit User Console for the account. Keep API Keys confidential and only share them securely.

If you suspect your key has been compromised, you can regenerate the key in the Zendit user console.

👉 When contacting support, do not include your API Key in any emails. zendit support engineers will never ask for the API Key to an account.

IP Whitelisting

Zendit provides the option to enhance the security of your environment by setting up IP whitelists.

This feature allows you to specify trusted IP addresses that are granted access to your zendit account. Here are some important details regarding IP whitelists:

  1. Purpose: IP whitelists add an extra layer of security by restricting access to your Zendit account only from specified IP addresses. This helps prevent unauthorized access with an API Key that may have been compromised.
  2. Test Mode and Production Environment: You have the ability to set up IP whitelists for both your test mode and production environments. It is strongly recommended to configure IP whitelists for your production environment before upgrading your account to the production stage.
  3. Accessing API Settings: To configure IP whitelists, navigate to the API settings section of the user console. This is where you can manage your whitelist entries.
  4. Multiple Whitelist Entries: You can create multiple whitelist entries for each environment. This allows you to define different sets of trusted IP addresses depending on your specific requirements.
  5. Maximum IP Rules: Each whitelist entry can contain up to 20 IP rules. This gives you the flexibility to specify a range of IP addresses or individual addresses that are allowed to access your zendit account.

By setting up IP whitelists through the user console, you can strengthen the security of your zendit environment and ensure that only authorized IP addresses have access to your account.

IP Rules

When setting up a whitelist in zendit, you have the flexibility to enter individual IP addresses or define a range of sequential IP addresses.

Here’s how you can specify IP addresses in the whitelist:

  1. Individual IP Addresses: Enter one IP address per line in the whitelist. Each line should contain a single IP address that you want to grant access to the selected API environment.
  2. Range of Sequential IP Addresses: To define a range of sequential IP addresses, use the format “start IP address ~ end IP address”. For example, if you want to allow access for IP addresses ranging from to, you would enter “ ~” in the whitelist. This notation indicates that all addresses between the specified start and end IP addresses are permitted to access the API for the selected environment.

By utilizing this format, you can easily configure your IP whitelist to include specific IP addresses or define broader ranges for access control.

Setting Up IP Whitelists

To configure an IP whitelist in zendit, follow these steps:

  1. Open the zendit console and go to the API settings page.
  2. Scroll down to the IP whitelisting section.
  3. Click on “Add New IP” to create a new IP whitelist.
  4. A pop-up window will appear where you can provide a friendly name for the whitelist.
  5. Select the desired environment: either production or sandbox (test mode).
  6. Enter the list of IP addresses or IP address ranges that you want to add to the whitelist. You can enter up to 20 IP addresses or ranges.
  7. If needed, you can set up multiple IP whitelists for each environment by repeating the process.

By setting up IP whitelists, you can control which IP addresses have access to the zendit API in each environment, enhancing the security of your integration.

Once you have confirmed your whitelist settings, the specified IP addresses or IP address ranges will be added to your IP whitelists.

These whitelists will determine which IP addresses are allowed to access the zendit API in the designated environment (production or sandbox/test mode). By adding the desired IP addresses to your whitelists, you ensure that only authorized sources can interact with the zendit API, strengthening the security of your integration.

🔐 For optimal security, we highly recommend adding IP whitelists for both your test environment and production environment in zendit. While it may require some additional effort during development and testing, implementing IP whitelists adds an extra layer of protection to your integration.

By whitelisting specific IP addresses or ranges, you ensure that only authorized sources can access your zendit account and perform transactions. This helps prevent unauthorized access, potential data breaches, and the risk of fraudulent activities.

Even in a test environment, it’s crucial to protect your zendit account and data from any unauthorized usage or potential vulnerabilities. Adding IP whitelists to your test environment can help mitigate the risk of token compromises or unauthorized transactions, allowing you to focus on accurate testing and development.

Remember, a proactive approach to security can save you from unexpected issues and ensure the smooth operation of your integration.

Catalog Security Features

Security features have been extended to the catalog.

It is possible to disable products so they are not available for sale. If a transaction passes all other security checks but the product is marked as disabled in the catalog, the transaction will be rejected for the product that is marked as disabled.

To explore the features of enabling and disabling products from sale, visit the Catalog Guide to find out more.


ShieldWall is a new security feature we’ve added to the Zendit platform.

When it’s implemented in an integration, transaction information will be sent to a webhook exposed by the Zendit client to verify that the transaction is legitimate. If the transaction is not recognized, the webhook can respond to zendit with an error that prevents zendit from fulfilling the transaction.

To learn about ShieldWall, visit the ShieldWall Guide to find out more about this feature and how to implement it into your environment.

Webhook Security

Integrations that choose to employ webhooks have the ability to set a header on the webhook and a value that may be used to authenticate the webhook.

The header name and value is selected by the client integrating as an additional security feature for their environment.