Ensuring the security of your integration with the UnDosTres API is critical.
Below are key recommendations and requirements to follow when working with authentication tokens and sensitive data:
-
All API requests must be made over secure HTTPS connections. Requests sent over plain HTTP will be rejected.Always use HTTPS -
Access tokens and refresh tokens should be treated as secrets. Do not expose them in URLs, logs, or client-side code. Always store them securely on the server or within secure local storage when applicable.Protect your tokens -
Avoid storing sensitive credentials or tokens in plaintext. Use encrypted storage or secure token vaults in production environments.Use secure storage -
Access tokens are short-lived. Make sure to monitor expiration times and refresh them using the appropriate endpoints. Avoid reusing expired tokens.Respect token scopes and expirations -
For browser-based applications or if you embed secure content (e.g., via WebView or iframe), ensure that the domain is allowed via CORS and that your implementation respects cross-origin constraints.Enable and respect CORS policies -
Keep your API credentials, signing keys, and client secrets private. Do not include them in mobile apps or expose them to users.Never share secret credentials
Following these security practices helps protect both your users and your infrastructure from unauthorized access and data leaks.