Security
Payments API
6 min
overview the voltage payments api uses api key authentication to secure access to lightning network payment functionality api keys are scoped to specific environments and can be configured with granular permissions and ip restrictions authentication api key authentication all api requests must include the x api key header with a valid environment api key x api key your api key here environment scoping api keys are scoped to a specific environment (staging or production) when generating a key, select the correct environment to ensure proper isolation between test and production systems api key permissions each api key can be configured with one or more permission levels apply the principle of least privilege by granting only the permissions required for the key's intended use permission capabilities use case read list wallets and transaction history reporting dashboards, audit tools, read only integrations write create wallets and send/receive payments payment processing backends, wallet management services billing list billing statement history finance and accounting integrations ip allowlisting restrict api key usage to specific ip addresses or ranges supported formats ipv4 addresses (e g , 192 168 1 1) ipv6 addresses cidr notation (e g , 10 0 0 0/8) leave the ip allowlist blank to permit requests from any ip address for production keys, ip restrictions are strongly recommended webhook security when configuring webhooks, each webhook receives a unique shared secret used to verify payload authenticity this secret is only displayed once when creating or rotating the webhook store the shared secret securely (e g , environment variables, secrets manager) validate webhook signatures on all incoming payloads before processing rotate secrets if you suspect they have been compromised best practices use descriptive key names name keys by purpose and environment (e g , "prod payment service", "staging reporting dashboard") for easy identification and auditing apply least privilege only enable the permissions required for the key's intended use a reporting dashboard only needs read access enable ip restrictions for production limit production api keys to known server ip addresses or ranges to prevent unauthorized use if a key is leaked never commit keys to version control store api keys in environment variables or a secrets management system add credential patterns to gitignore use separate keys per service create dedicated api keys for each service or integration to enable granular revocation if needed rotate keys periodically establish a key rotation schedule revoke and replace keys that may have been exposed audit key usage regularly review which keys exist, their permissions, and whether they are still needed separate staging and production never use production api keys in development or staging environments api reference base url https //voltageapi com/v1 full openapi specification https //voltageapi com/v1/docs
