Protect sensitive data
Minimize PII, credentials, webhook payloads, and customer metadata in requests, logs, analytics, and support workflows.
Payment, ramp, liquidity, and webhook integrations can touch sensitive customer and transaction data. Keep your public docs, examples, and implementation patterns focused on minimization and redaction.
Never publish real customer data
Examples should use fake references, fake emails, fake wallet addresses, and synthetic ids. Do not paste real webhook payloads, KYC details, provider responses, or customer support screenshots into docs.
Data minimization flow
Redaction table
| Data | Store? | Log? | Notes |
|---|---|---|---|
| Secret API key | Secret manager only | Never | Treat as credential. |
| Webhook secret | Secret manager only | Never | Used only for HMAC verification. |
| Client secret | Short-lived operational storage if needed | Never | Browser capability for one session. |
| Event id | Yes | Yes | Safe dedupe and support identifier. |
| Product object id | Yes | Yes | Use with your local attempt id. For 0Gate, this is the session id. |
| Raw webhook body | Restricted storage only if required | No | Prefer parsed redacted summaries. |
| Customer PII | Minimum required | Redacted | Avoid analytics and broad support exposure. |
Safe support payload
function supportSnapshot(attempt: PaymentAttempt) {
return {
attemptId: attempt.id,
productObjectId: attempt.productObjectId,
lastEventId: attempt.lastEventId,
status: attempt.status,
requestId: attempt.lastRequestId,
createdAt: attempt.createdAt,
// No credentials, client secrets, raw webhook bodies, or full PII.
};
}Rules
- Use fake values in all documentation and screenshots.
- Redact authorization headers and webhook signatures.
- Keep raw payload access behind restricted backend permissions.
- Do not store payment method details unless the approved product contract requires it.
- Do not put sensitive metadata into
user_referencevalues. - Review compliance and privacy wording before publishing country, KYC, KYB, or eligibility claims.