Security
BluePay is built with secure defaults for dashboards, APIs, and webhooks. This page describes practical steps you can take to keep your integration safe.
1. Protect your API keys
- Keep API keys on your server (never in client-side JavaScript).
- Rotate keys if you suspect exposure.
2. Verify webhooks
- Verify the
X-Bluepay-Signatureheader using HMAC-SHA256 before accepting a webhook payload. - Reject requests where signatures donβt match.
3. Report a vulnerability
Email hello@bluepay.co.ke with details. Please avoid public disclosure until we confirm a fix.