Secret handling

Last updated: June 24, 2026

Secret handling

  • Never expose XPayr API secrets, webhook secrets, signer private keys, or database credentials publicly.
  • Store secrets server-side.
  • Mask saved secrets in admin UI.
  • Do not overwrite saved secrets when an edit form submits an empty secret field.
  • Verify every webhook server-side.