Hello Clever’s API is built with multiple layers of protection to ensure every request is authenticated, every transmission is encrypted, and every integration remains resilient against abuse. This page covers the security architecture underpinning the Hello Clever API (including authentication, data encryption, rate limiting, server-to-server communication, dashboard key management, and data privacy compliance) along with concrete best practices you should follow in your own integration.

Secure authentication and access control

Hello Clever validates every API request before granting access to any resource, ensuring that only authorised applications can interact with data and services.

API keys and secret keys

Each API client receives a unique API key and secret key pair. Store these securely and share them only with authorised systems.

Token-based authentication

Hello Clever uses token-based authentication as an additional layer, reducing the risk of unauthorised access even if a key is inadvertently exposed.

Access control

Permissions are scoped per API key. Each key only accesses the endpoints and data it has been explicitly authorised for.

IP whitelisting

For sensitive endpoints, you can restrict access to pre-approved server IP addresses, limiting the attack surface for your integration.

HTTPS and data encryption

All data transmitted between your application and Hello Clever’s servers is encrypted end-to-end using HTTPS with SSL/TLS.
  • SSL/TLS encryption ensures that transaction data and account details remain confidential during transmission and cannot be read if intercepted.
  • Protection against man-in-the-middle attacks: HTTPS prevents unauthorised parties from intercepting or tampering with data in transit.
Never make API requests over plain HTTP. All Hello Clever API endpoints require HTTPS. Requests over HTTP will be rejected.

Rate limiting and throttling

Hello Clever applies rate limiting to every API client to maintain platform stability and protect against abuse.
  • Request limits: each client is assigned a maximum number of requests per minute based on usage patterns. Exceeding this limit results in temporary throttling.
  • Automatic throttling: if you exceed your rate limit, further requests are queued or rejected temporarily, ensuring high traffic from one client does not degrade the experience for others.
  • DDoS protection: rate limiting reduces the risk of Distributed Denial-of-Service attacks by controlling the flow of requests across all clients.
If you receive 429 Too Many Requests responses, implement exponential back-off and retry logic in your integration rather than retrying immediately.

Secure server-to-server communication

When integrating Hello Clever directly server-to-server, follow these practices to keep communication secure:
  • Store API keys securely: use environment variables or a secrets manager. Never hard-code keys in source code or commit them to version control.
  • Encrypt all transmissions: all server-to-server calls must use HTTPS. Hello Clever encrypts API key data during transmission to prevent interception.
  • Use IP whitelisting: restrict specific API keys to known server IP ranges for an additional boundary around sensitive operations.

Merchant dashboard: protecting your API keys

The Hello Clever Merchant Dashboard includes built-in tools for managing and protecting your API keys.
Dashboard access requires MFA, adding an extra verification step that prevents unauthorised users from reaching your API keys even if account credentials are compromised.
Assign specific roles and permissions to team members so that only personnel with a legitimate need can view or manage API keys. Limit administrative access to your smallest viable team.
Generate new keys, rotate existing keys, and revoke compromised keys directly from the dashboard. Regular key rotation limits the window of exposure if a key is ever leaked.

Data privacy and compliance

Hello Clever’s API follows GDPR, CCPA, and other applicable data protection regulations.
  • Data minimisation: Hello Clever collects only the data necessary for each API function, reducing exposure in the event of a breach.
  • Access controls: sensitive data is restricted to API keys with explicit permission, preventing over-privileged access.
  • Audit logs: Hello Clever maintains logs of API requests for compliance monitoring, ensuring data access is traceable and accountable.

Best practices checklist

Follow these practices to maintain a secure integration with Hello Clever’s API:
1

Store keys in a secrets manager

Keep API keys and secret keys in a secure secrets management service (such as AWS Secrets Manager, HashiCorp Vault, or equivalent). Never store them in plain-text configuration files, source code, or public repositories.
2

Rotate API keys regularly

Rotate keys on a scheduled basis and immediately revoke any key you suspect may have been compromised.
3

Use HTTPS for every request

Confirm your HTTP client enforces HTTPS and validates TLS certificates. Disable any configuration that allows falling back to plain HTTP.
4

Monitor your API usage

Review your API access logs regularly to detect anomalous request volumes, unexpected endpoints being called, or unusual geographic origins that may indicate unauthorised use.
5

Limit endpoint access

Request only the permissions your application genuinely needs. Avoid requesting broad access scopes when a narrower permission set is sufficient.