Security

7. Security & Anti-Replay

HTTPS only.
code is one-time, TTL 2-5 minutes, store used code/state pairs.
Validate Bearer api_key.
For webhook, verify HMAC (X-Cryptopass-Signature) and/or Bearer webhook_api_key.
Apply rate limits, log requests/responses (redact secrets).

Important: do not log api_key, webhook_secret, or user tokens.