AgentPay logoAgentPay
Discord

Security best practices

AgentPay handles API keys, wallet references, and payment flows. Following these practices helps keep your integration and your users' data secure.

API keys

  • Never commit keys to source control. Use environment variables or a secrets manager (e.g. Vercel env, Render Environment, Railway Variables) and inject them at runtime.
  • One key per agent or environment. Use separate keys for development, staging, and production so a compromise is limited in scope.
  • Rotate if exposed. If a key is leaked, create a new key from the dashboard or POST /api-keys, update your config, and stop using the old key. There is no key revocation endpoint today; rotation is create-and-replace.

Dashboard and encryption

The dashboard stores API keys encrypted at rest using ENCRYPTION_KEY. Use a strong, random value (e.g. openssl rand -hex 32) and keep it secret. Losing it prevents decryption of stored keys. NextAuth sessions are signed with NEXTAUTH_SECRET; keep that secret as well and use HTTPS in production.

Network and transport

  • Always use HTTPS for the API and dashboard in production. Vercel, Render, and Railway provide TLS by default when using their domains.
  • Restrict dashboard OAuth redirect URIs to your actual domain so third parties cannot abuse your client IDs.

Payments and 402

Payment requirements and signatures are passed through your agent and the API. Do not log full payment headers or signatures in plaintext in production. When receiving payments (returning 402 with your payTo), use a wallet you control and only expose the minimum amount and asset information required by the protocol.

Dependencies and deployment

Keep the API, dashboard, and SDKs up to date with security patches. Run npm audit and address high-severity issues. In deployment, run the API and dashboard with minimal privileges and ensure DATABASE_URL and other secrets are not exposed to the client or logs.