Best practices

Best practices

In order to ensure successful and efficient integration of our API, it is important to establish and follow best practices.

Payments processing

  • It is strongly recommended to verify all payment details prior to releasing value, including amounts, currencies, transaction references, and any other relevant information.
  • Additionally, it is recommended to implement webhooks for relevant transactions in order to receive timely notifications of status changes.
  • It is important to take note of any potential rate limits when checking the status of a transaction, ensuring that requests remain within any applicable limits.

Error Handling

It is recommended to account for any potential edge cases by utilizing clearly defined API responses in order to release value or provide services. Additionally, it is important to ensure that errors are effectively handled and appropriate error messages are displayed to users in the event of an error occurring.

Validating Webhooks

It is strongly recommended to utilize the signature feature, located within the Settings > Developer >Webhooks section of your dashboard, as a means of verifying the authenticity of incoming webhooks from Notch Pay.

API Management

It is essential to ensure that your application meets certain requirements when managing API Keys, including refraining from hardcoding API Keys into the codebase and only initiating API calls that require your Notch Pay Secret Key from the backend or server side of the application. Additionally, it is recommended to utilize environmental variables or a secrets manager to store API Keys.


It is recommended to enforce a strong password policy, such as requiring a minimum of 8 alphanumeric characters and inclusion of at least one upper case and special character. It is also advisable to implement input validation procedures during login to prevent potential exploits. Additionally, measures should be taken to protect against brute-force attacks, including account lockouts and second-factor authentication. Finally, database credentials should be stored securely, preferably utilizing a secrets manager.

Input and Output Forms

It is advisable to validate all input, including both user and service input, on the server-side in addition to any client-side validation, ensuring that only the required characters and necessary field lengths are permitted. Additionally, it is recommended to encode all output. With proper input validation and output encoding, applications should not be susceptible to cross-site scripting attacks, including both stored and reflected attacks. This applies to all headers, cookies, query strings, form fields, and hidden fields. Establishing a whitelist of acceptable characters for use within the application can also be beneficial. It is also important to ensure proper validation is conducted for any files that are uploaded, and utilizing parameterized SQL queries can help to further enhance the security of the application.