MintMove API Docs

Security & Best Practices

Essential security guidelines for safe API integration

API Key Protection

Your API credentials are the keys to your account. Protect them at all costs:

  • Never expose API secrets in client-side code - JavaScript, mobile apps, or browser extensions can be reverse-engineered
  • Use environment variables - Store credentials in .env files or secure key management systems
  • Never commit secrets to version control - Add .env to .gitignore
  • Use different keys per environment - Separate keys for development, staging, and production
  • Rotate keys regularly - Regenerate API keys every 90 days or immediately if compromised

HTTPS Enforcement

All API communications must use HTTPS:

  • HTTPS Only - All endpoints require HTTPS. HTTP requests are automatically rejected
  • TLS 1.2+ Required - Use modern TLS versions for secure connections
  • Certificate Validation - Always validate SSL certificates (don't disable certificate verification)

Warning: Never disable SSL certificate validation, even in development. This exposes you to man-in-the-middle attacks.

IP Whitelisting

Restrict API key usage to specific IP addresses for enhanced security:

  • Configure IP whitelist in Dashboard → API Management → Security Settings
  • Add your server's static IP addresses (both IPv4 and IPv6 if applicable)
  • Requests from non-whitelisted IPs will be rejected with 403 Forbidden
  • Useful for server-to-server integrations but not for client-side applications

Signature Validation

HMAC-SHA256 signatures prevent request tampering and replay attacks:

  • Always include timestamp - Timestamps prevent replay attacks (requests expire after 5 minutes)
  • Use correct sign string format - Method + Path + Body + Timestamp (in that exact order)
  • Validate server clock - Ensure your server's clock is synchronized with NTP to avoid timestamp errors
  • Never reuse signatures - Generate a new signature for each request

Timestamp Expiry

Request timestamps are validated to prevent replay attacks:

  • • Timestamps must be within ±5 minutes of server time
  • • Requests with expired timestamps are rejected
  • • Use Unix timestamp in seconds (not milliseconds)
  • • Ensure server clock is synchronized (use NTP)

Tip: If you're getting timestamp errors, check your server's system time and timezone settings.

Key Rotation Policies

Regularly rotate your API keys to limit exposure:

  • Rotate every 90 days - Set a calendar reminder to regenerate keys quarterly
  • Immediate rotation if compromised - If you suspect a key is leaked, revoke it immediately
  • Gradual migration - Generate new key, update application, then revoke old key after verification
  • Monitor key usage - Check dashboard regularly for unusual activity

Webhook Verification (Future-Ready)

When implementing webhooks, always verify the signature:

  • Webhook requests include an X-Webhook-Signature header
  • Verify the signature using HMAC-SHA256 with your webhook secret
  • Reject requests with invalid signatures to prevent spoofing
  • Use HTTPS endpoints for webhook receivers

Security Audit Recommendations

  • Regular security audits - Review your integration code for security vulnerabilities
  • Dependency scanning - Keep all dependencies up-to-date and scan for known vulnerabilities
  • Access logging - Log all API requests for audit trails
  • Monitor for anomalies - Set up alerts for unusual API usage patterns
  • Penetration testing - Periodically test your integration for security weaknesses

OWASP Compliance

Follow OWASP security best practices:

  • A01:2021 – Broken Access Control - Use proper authentication and authorization
  • A02:2021 – Cryptographic Failures - Use HTTPS, proper encryption
  • A03:2021 – Injection - Validate and sanitize all inputs
  • A04:2021 – Insecure Design - Follow secure design principles
  • A05:2021 – Security Misconfiguration - Secure default configurations
  • A06:2021 – Vulnerable Components - Keep dependencies updated
  • A07:2021 – Authentication Failures - Implement proper authentication
  • A08:2021 – Data Integrity Failures - Verify data integrity
  • A09:2021 – Logging Failures - Implement comprehensive logging
  • A10:2021 – SSRF - Validate URLs and prevent SSRF attacks

Additional Security Tips

  • Validate all inputs - Never trust user input. Validate amounts, addresses, and all parameters
  • Use rate limiting - Implement client-side rate limiting to avoid hitting API limits
  • Implement request timeouts - Set reasonable timeouts to prevent hanging requests
  • Sanitize error messages - Don't expose sensitive information in error messages to users
  • Use secure storage - Store API secrets in encrypted storage or secret management systems