March 11, 2024

zendit Security Best Practices

Review the new security features and best practices to keep your integration secure and free of fraudulent transactions.

zendit has come a long way since in the past year!

Please review the new security features and best practices to keep your integration secure and free of fraudulent transactions.

Read more about all the security features available in zendit and how to use them with our recommended best practices to keep your environment secure and fraud free.

API Keys

API Keys can now be regenerated!.

We recommend setting a schedule for regenerating your keys on a schedule (e.g. every 90 days.) If your key was compromised, once regenerated the previous key is no longer valid to access your account through the API.

If you identify that your key is compromised, regenerate a new key immediately from the zendit user console.

Remember to keep this API Key secure. Client support will never ask you for your API Key. If someone asks you for this key and is not a user you trust with the key for your integration, do not share the key.

IP Whitelisting

IP Whitelisting has been with zendit from the start.

Always protect your environment with IP Whitelists that connect your integration to trusted hosts. If your IP Whitelist for production is ever changed, zendit will send an alert to the user console. You may also opt into receiving security-related alerts and changes made in your production environment via email and SMS.

Catalog Security

Securing your catalog is an important part of your integration.

You can disable products from being available for sale if you don’t expect to sell the product. Zendit highly recommends disabling products that aren’t intended for sale as an extra layer of security.

Webhook Security

For clients who elect to implement webhooks they can be added to the environment with a header and value.

It is recommended for production environments to add an Authentication header with a long, encoded string (not the API Key) that is known to the client. This header value will verify the authenticity of a webhook received from zendit.


ShieldWall has been released as a webhook we recommend implementing in your integration.

This webhook will send you information about transactions being made in your account and you can automate double checking that the transaction is legitimate against your integration. If the transaction wasn’t originated by the integration, a simple error response to the webhook request is returned to zendit to block it from being fulfilled or funds withdrawn from the wallet.

Check out these posts 😍

Previous Post

Start selling with zendit.

Worried about spam?

Rest assured, we won’t flood your inbox. We’ll simply keep you informed about our progress, new features, and helpful support articles.

Check out our privacy policy for more details.

👋 Hi There
Drop us your email, and we'll get back to you shortly! ✨

Please wait...
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you! Our team will reach out to you shortly!
Send another mail