Security

Learn how to keep your payments secure.

Notifications

To make sure nobody can interfere with your payments (or find out about your private API key) always stick to the following rules.

Event name

Don’t use the event name as an indicator of the state of a resource.

Since there is no guarantee an event has actually been sent by the Unzer API, you should always fetch the resource using the API. This way you make sure a hacker can not inject a false payment state into your shop.

In addition, there is no guarantee the events arrive in the same order they have been sent in. Fetching the resource to an event always gives you the latest state.

Event’s retrieveURL

Don’t use the event’s retrieveUrl to fetch the event’s resource without making sure the domain is legit.

A hacker could send an event with a retrieveUrl which contains his own domain, to spy out your private key or to return fake data to make you believe a payment has been completed when it actually has not.

Always fetch the event by creating an API request for the affected resource with correct Unzer API domain.