Securing PayEngine Webcomponents
PayEngine offers a comprehensive framework designed to ensure the security of its web components. This framework encompasses a wide range of security measures. By addressing security at multiple levels, PayEngine aims to protect sensitive data and maintain the integrity of its web applications
PayEngine uses MerchantSession to enable embedded web components to access merchant data and allow merchants to interact with that.
Obtaining a new Merchant Session
This example illustrates a server-side implementation for obtaining a secure session using the partner's private key.
It's crucial to highlight that the private key should never be exposed to the client-side and must remain securely stored for server-to-server communications only. By implementing this approach, partners ensure that the access token acquisition process is both secure and compliant with best practices for protecting sensitive credentials. This setup helps maintain the integrity of interactions between the partner's web application, through the partner backend application to PayEngine's services.
Note: Setting the scope
parameter to 'readonly'
restricts certain actions in the embedded widgets, such as hiding the Refund button in the Transactions widget, disabling the Export button etc.
Load PayEngine Library
To access the latest PayEngine tokenization features and APIs, please update to PayEngine@1.0.6
or higher. This update provides essential improvements and ensures compatibility with our latest security standards.
When PayEngine library needs the access token, it will use the fetchAccessToken
to ask the host application to make a server side call and obtain the access token.
It is important to note that PayEngine will call fetchAccessToken
whenver acess token is needed or when it needs to be refreshed.
This example demonstrates how to implement client-side code using PayEngine's public key and fetchAccessToken callback, ensuring that sensitive private key data remains secure and never exposed to the client side.
Logout - Revoke Access Token
While access tokens automatically expire, it's crucial to immediately invalidate them when a user's session ends on the server. Relying solely on token expiration creates a security vulnerability and a suboptimal user experience.
This section provides an example of both client-side and server-side implementations for partners
For immediate session revocation on logout, we recommend implementing client-side access token revocation.
To invalidate the access token on the client side, call the following method in your JavaScript code.
This ensures that the user's session is terminated, preventing further authenticated requests until they log in again.
Last updated