General: Security

To secure communications, ConnectPay API Gateway uses several security layers.

Server-to-Server communications

ConnectPay does not have static IP addresses of API servers, nor it is mandatory to whitelist TPP IP addresses.

To secure server-to-server channel, ConnectPay uses mutual TLS (a.k.a mTLS, 2way TLS, etc).

API consumer - acting as communication Client - has to provide CA issued full certificate chain in X509 ASCII Base64 format (PEM) with leaf, intermediate and root certificates. 
Self signed certificates are not sufficient and won't be accepted.
Certificate chain must be full, starting with leaf and ending with root cert.

Send cert chain to the

ConnectPay technical team will add provided certificate chain to the truststores.

Certificates with reversed order, with incorrect format or with incomplete chain will be rejected.

With each API request Client certificate will be validated at the webserver level (to check if it is not expired, etc) and at the application level (to check if cert in https handshake is same as cert provided by Client, if it not revoked).

Access mTLS protected APIs via these hostnames:



Browser/Public-to-Server communications

In some cases, ConnectPay APIs must be accessed via public domain - auth redirects, notification webhooks, etc.

To access such APIs use separate 1way TLS API hostnames:



1way and 2way APIs are mutually exclusive - you can't access cert protected APIs via 1way TLS subdomain and vice versa.

API security

Generic API access

APIs that do not require access to ConnectPay Person's data are protected by http Basic Auth.

Check your DevApp configuration on DevPortal to retrieve ClientKey and ClientSecret

Encode colon separated ClientKey and ClientSecret to Base64 and add to Authorization header:

Authorization: Basic Q29ubmVjdFBheTpFYXN5QmFua2luZw==

In example above, ClientKey is ConnectPay and ClientSecret is EasyBanking :

Authorization: Basic Base64(ConnectPay:EasyBanking)

Data API access

To make payments, get statements or account lists, API consumer must have explicit ConnectPay Person's permission, allowing access to certain data.

Such APIs are protected using OAuth Access Tokens. Add Access Token as a Bearer type to the Authorization header when accessing these APIs:

Authorization: Bearer brQ7FzFtwraVgut3Iv4ENQax5ea95r

Access Tokens grants specific access rights defined by scopes and they are issued to Person+Customer / DevApp pair.

This security method is built following Client Credential Grant Flow defined in OAuth 2.0 standard.