Security

Security controls include:

Security headers via Helmet
Input validation and query sanitization
Permission-based authorization
Tenant boundary enforcement
API key hashing
HMAC-SHA256 signatures for webhook deliveries
Request logging
Public API subscription-plan gating

Sensitive internals are excluded from responses.

Tenant Boundaries

API keys are linked to a company. Requests only operate on resources owned by that company.

API Key Handling

API keys are shown once when created and stored hashed. Treat them like passwords:

Store keys in a secret manager or environment variable.
Do not commit keys to source control.
Rotate keys if they may have been exposed.
Use separate keys for separate integrations where possible.
Give each key only the permissions it needs.

Transport Security

Use HTTPS for all production API requests.

Webhook subscription URLs must also use HTTPS. RemyPass validates the URL before creating a subscription.

Webhook Signatures

Every webhook delivery includes an X-RemyPass-Signature header. Verify it by computing an HMAC-SHA256 digest of the raw request body with the subscription secret, then compare it with the header value using a timing-safe comparison.

Input Validation

The API validates path parameters, query parameters, and request bodies. Invalid input returns HTTP 400.

Plan Access

Public API access is gated by company plan and billing status. A valid key can still receive HTTP 403 if the company does not currently have Public API access.

Tenant Boundaries​

API Key Handling​

Transport Security​

Webhook Signatures​

Input Validation​

Plan Access​