Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.fype.dev/llms.txt

Use this file to discover all available pages before exploring further.

Security & Data Privacy

Security is the foundation of Fype. As a payments orchestrator, we take extreme measures to ensure your data and your customers’ payment credentials remain secure.

Credential Encryption

When you connect a payment provider (like Razorpay) to Fype, your API keys and secrets are never stored in plain text.

1. Encryption Standard

Fype uses Fernet (AES-128 in CBC mode with HMAC-SHA256) for authenticated encryption. This is an industry-standard specification that ensures:
  • Confidentiality: Only authorized Fype services can read the credentials.
  • Integrity: Any attempt to tamper with the encrypted data is immediately detected.

2. Encryption Workflow

  1. Ingestion: You submit credentials via the Dashboard or API.
  2. Encryption: Fype’s backend immediately encrypts the payload using a unique FYPE_ENCRYPTION_KEY.
  3. Storage: Only the encrypted bytes are stored in our PostgreSQL database.
  4. Just-in-Time Decryption: Credentials are only decrypted in-memory during the narrow window when Fype needs to sign a request to the provider gateway.

API Security

1. Secret Keys

Fype uses environment-specific secret keys (fype_test_ and fype_live_). These keys should always be kept on your server.

2. TLS Everywhere

All communication with the Fype API, the Dashboard, and the Checkout page is enforced over TLS 1.2 or higher. We use HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.

3. Request Signing (Webhooks)

Fype signs all outgoing webhooks using a unique secret per endpoint. This allows you to verify that the request originated from Fype and hasn’t been modified in transit.

Data Privacy

1. PII (Personally Identifiable Information)

Fype stores minimal customer PII. We only require a customer_email to facilitate communication with the payment gateway and to display order details on the checkout page.

2. Payment Data (PCI Compliance)

Fype is designed to keep your servers out of PCI scope.
  • Hosted Checkout: Payment card details are entered directly on Fype’s hosted checkout page or the gateway’s embedded UI.
  • No Persistence: Fype never stores credit card numbers, CVVs, or expiry dates in its database. We only store anonymized references (like Gateway Payment IDs) to facilitate status tracking and refunds.

3. Data Isolation

Test and Live data are strictly isolated at the application layer. Credentials connected in Test mode can never be used to process Live payments, and vice-versa.

Best Practices for Merchants

  • Rotate Keys Regularly: We recommend rotating your Fype API keys every 90 days.
  • Use Environment Variables: Never hardcode Fype keys or Webhook secrets in your source code.
  • Restrict Webhook Endpoints: Always use HTTPS for your webhook URLs and implement signature verification.
  • Minimal Metadata: While Fype allows custom metadata, avoid storing highly sensitive user information in these fields.