Secret handling
Secret handling
- Never expose XPayr API secrets, webhook secrets, signer private keys, or database credentials publicly.
- Store secrets server-side.
- Mask saved secrets in admin UI.
- Do not overwrite saved secrets when an edit form submits an empty secret field.
- Verify every webhook server-side.
