Security Best Practices
Recommendations for securing your Pelago integration.
API Key Security
DO ✅
- Store keys in environment variables
- Use different keys for sandbox/production
- Rotate keys every 90 days
- Use scoped keys when possible
DON'T ❌
- Commit keys to version control
- Share keys via insecure channels
- Expose keys in client-side code
- Use production keys in development
Webhook Security
- Always verify signatures
- Check timestamps (reject stale webhooks)
- Process asynchronously (respond quickly)
- Implement idempotency (handle duplicates)
const isValid = pelago.webhooks.verify(
payload,
signature,
timestamp,
secret
);
Infrastructure
- Enable HTTPS everywhere
- Use IP allowlisting if possible
- Implement rate limiting
- Monitor for anomalies
Wallet Security
- Use hardware wallets for large amounts
- Implement multi-sig for withdrawals
- Regular security audits
- Keep software updated
Incident Response
- Detect: Monitor logs and alerts
- Contain: Revoke compromised keys
- Investigate: Review access logs
- Recover: Rotate all credentials
- Report: Contact security@pelago.tech