Security

Secrets

• Store TRONGRID_API_KEY and AUTLANTIC_PAYMENTS_WEBHOOK_SECRET in environment variables, not source code.
• Rotate webhook secrets if leaked; old signatures will fail verification.

Webhooks

• Always verify x-autlantic-signature with verifyWebhook or parseWebhook before trusting the body.
• Use the raw request body for verification (do not re-serialize JSON).

On-chain verification

• The SDK verifies USDT TRC-20 transfers to your configured payout address. It does not custody funds.
• minimum_amount means at least the plan price; overpayments are accepted by design.

Sandbox

• Never enable AUTLANTIC_PAYMENTS_SANDBOX in production.

Production checklist

• [ ] AUTLANTIC_PAYMENTS_SANDBOX off or unset
• [ ] TRONGRID_API_KEY set (SDK or hosted API)
• [ ] Webhook secret configured and verified on inbound requests
• [ ] API keys rotated for hosted HTTP API mode (AUTLANTIC_API_KEYS)

Reporting

Report security issues privately to [email protected].