Secure authentication and access control
Hello Clever validates every API request before granting access to any resource, ensuring that only authorised applications can interact with data and services.API keys and secret keys
Each API client receives a unique API key and secret key pair. Store these securely and share them only with authorised systems.
Token-based authentication
Hello Clever uses token-based authentication as an additional layer, reducing the risk of unauthorised access even if a key is inadvertently exposed.
Access control
Permissions are scoped per API key. Each key only accesses the endpoints and data it has been explicitly authorised for.
IP whitelisting
For sensitive endpoints, you can restrict access to pre-approved server IP addresses, limiting the attack surface for your integration.
HTTPS and data encryption
All data transmitted between your application and Hello Clever’s servers is encrypted end-to-end using HTTPS with SSL/TLS.- SSL/TLS encryption ensures that transaction data and account details remain confidential during transmission and cannot be read if intercepted.
- Protection against man-in-the-middle attacks: HTTPS prevents unauthorised parties from intercepting or tampering with data in transit.
Rate limiting and throttling
Hello Clever applies rate limiting to every API client to maintain platform stability and protect against abuse.- Request limits: each client is assigned a maximum number of requests per minute based on usage patterns. Exceeding this limit results in temporary throttling.
- Automatic throttling: if you exceed your rate limit, further requests are queued or rejected temporarily, ensuring high traffic from one client does not degrade the experience for others.
- DDoS protection: rate limiting reduces the risk of Distributed Denial-of-Service attacks by controlling the flow of requests across all clients.
If you receive
429 Too Many Requests responses, implement exponential back-off and retry logic in your integration rather than retrying immediately.Secure server-to-server communication
When integrating Hello Clever directly server-to-server, follow these practices to keep communication secure:- Store API keys securely: use environment variables or a secrets manager. Never hard-code keys in source code or commit them to version control.
- Encrypt all transmissions: all server-to-server calls must use HTTPS. Hello Clever encrypts API key data during transmission to prevent interception.
- Use IP whitelisting: restrict specific API keys to known server IP ranges for an additional boundary around sensitive operations.
Merchant dashboard: protecting your API keys
The Hello Clever Merchant Dashboard includes built-in tools for managing and protecting your API keys.Multi-factor authentication (MFA)
Multi-factor authentication (MFA)
Dashboard access requires MFA, adding an extra verification step that prevents unauthorised users from reaching your API keys even if account credentials are compromised.
Role-based access control
Role-based access control
Assign specific roles and permissions to team members so that only personnel with a legitimate need can view or manage API keys. Limit administrative access to your smallest viable team.
Key management and rotation
Key management and rotation
Generate new keys, rotate existing keys, and revoke compromised keys directly from the dashboard. Regular key rotation limits the window of exposure if a key is ever leaked.
Data privacy and compliance
Hello Clever’s API follows GDPR, CCPA, and other applicable data protection regulations.- Data minimisation: Hello Clever collects only the data necessary for each API function, reducing exposure in the event of a breach.
- Access controls: sensitive data is restricted to API keys with explicit permission, preventing over-privileged access.
- Audit logs: Hello Clever maintains logs of API requests for compliance monitoring, ensuring data access is traceable and accountable.
Best practices checklist
Follow these practices to maintain a secure integration with Hello Clever’s API:1
Store keys in a secrets manager
Keep API keys and secret keys in a secure secrets management service (such as AWS Secrets Manager, HashiCorp Vault, or equivalent). Never store them in plain-text configuration files, source code, or public repositories.
2
Rotate API keys regularly
Rotate keys on a scheduled basis and immediately revoke any key you suspect may have been compromised.
3
Use HTTPS for every request
Confirm your HTTP client enforces HTTPS and validates TLS certificates. Disable any configuration that allows falling back to plain HTTP.
4
Monitor your API usage
Review your API access logs regularly to detect anomalous request volumes, unexpected endpoints being called, or unusual geographic origins that may indicate unauthorised use.
5
Limit endpoint access
Request only the permissions your application genuinely needs. Avoid requesting broad access scopes when a narrower permission set is sufficient.