Security

​

HTTPS Requirement

• Data encryption in transit
• Authentication token protection
• Request and response integrity
• Protection against man-in-the-middle attacks

​

TLS Requirements

​

Supported TLS Versions

​

Authentication Security

​

Token Storage

• Server-side storage: Store tokens securely on your backend
• Environment variables: Use environment variables, not hardcoded values
• Avoid client-side storage: Never store tokens in browsers or mobile app storage

// Good: Server-side environment variable
const apiToken = process.env.API_TOKEN;

// Bad: Hardcoded in client-side code
const apiToken = "sk_live_abcd1234..."; // NEVER DO THIS

​

Token Transmission

// Correct: Authorization header
const response = await fetch('https://api.caspen.com/v1/clients', {
  headers: {
    'Authorization': `Bearer ${token}`,
    'Content-Type': 'application/json'
  }
});

// Incorrect: Token in URL or body
const response = await fetch(`https://api.caspen.com/v1/clients?token=${token}`);

​

IP Allowlisting

1. Log in to your dashboard
2. Navigate to API keys
3. Configure allowed IP addresses
4. Save your configuration

​

Vulnerability Reporting

1. DO NOT disclose it publicly
2. Email [email protected] with details
3. Include steps to reproduce the issue
4. We’ll respond within 24 hours

​

Authentication best practices

• Never expose credentials in client-side code - Keep tokens in server-side environments.
• Use environment variables - Store credentials outside of source control.
• Rotate credentials regularly - Regenerate tokens periodically and revoke unused ones.
• Use HTTPS only - Always make requests over HTTPS to protect credentials in transit.
• Implement proper error handling - Avoid logging tokens or sensitive data.