Integration Security

Server-to-Server Communications

ConnectPay secures server-to-server communications using mutual TLS (mTLS) or RSA public key. Here’s how to set it up:

1. Certificate Requirements:
   • Provide a CA-issued full certificate chain in X509 ASCII Base64 format (PEM) with leaf, intermediate, and root certificates.
   • Self-signed certificates are not accepted.
   • Ensure the certificate chain is complete and in the correct order.
2. Submission:
   • Send the certificate chain to [email protected] in a .zip file.
   • The ConnectPay technical team will add the certificate chain provided to the trust stores.
3. Validation:
   • Certificates will be validated at both the web server and application levels.
   • Certificates must not be expired or revoked.
4. Access:
   • Use the following hostnames for mTLS-protected APIs:
     • STAGE: api-stage.connectpay.com
     • PROD: api.connectpay.com
5. General rules and tips:
   • One-way and two-way APIs are mutually exclusive – you can’t access cert-protected APIs via the one-way TLS subdomain and vice versa.
   • You will always find the proper hostname in our API Reference under each API.

Browser/Public-to-Server Communications

For public domain access, such as auth redirects and notification webhooks, use separate one-way TLS API hostnames:

• STAGE: api2-stage.connectpay.com
• PROD: api2.connectpay.com

API Security

1. mTLS for Server-to-Server:
   • All server-to-server API communications (except for merchant APIs) must use mTLS.
   • Merchant APIs use RSA public key.
2. Basic Auth for Non-Person Data APIs:
   • APIs that do not require access to ConnectPay Person’s data are protected by HTTP Basic Auth.
   • Retrieve ClientKey and ClientSecret from your DevApp configuration.
   • Encode them to Base64 and add them to the Authorization header:Authorization: Basic Base64(ClientKey:ClientSecret)

Requirements for Certificates

• Proper Order: Start with the leaf certificate and end with the root certificate.
• Root Included: Ensure the root certificate is included.
• Proper Format: Certificates must be in X509 ASCII Base64 format.
• CA Issued: Use certificates from reputable CAs like Comodo, DigiCert, or BuyPass. Self-signed and Let’s Encrypt certificates are not accepted.
  • Let’s encrypt certificates will not be accepted as they are issued only for 3 months, and frequent rotations add extra load to your and our DevOps teams and increase the API failure rate—the chance to forget to rotate a certificate is four times greater.
• Not shared: We strongly recommend not using the same certificate for Prod and Stage. However, please refer to your Company’s security policies. Separation is not a mandatory requirement by ConnectPay.
• DV: If you are ordering a new certificate and do not have any specific requirements, we recommend domain-validated (DV) certificates, as they are the quickest and easiest to obtain.
• SSL QWAC for PSD2: To access PSD2 Open Banking APIs, you, as TPP, must use an extended eIDAS PSD2 certificate with proper PSD2 TPP roles.

For more detailed instructions, refer to the product-related documentation or contact your ConnectPay Account Manager or Developer Support Team.

---

Feel free to let me know if you need any further adjustments!