Whitelisting

For server-to-server calls

Boxo Payments and Boxo Connect functionalities will only work with whitelisted IP addresses. You can provide these in Dashboard host app overview page.

Our IP addresses

We suggest to whitelist our IP addresses for all endpoints opened for Boxo Platform.

Production environment 18.136.43.253 - https://dashboard.boxo.io/

Passing encrypted user data

Boxo Connect requires the host app to share sensitive user data with miniapps. To secure the data being passed, we recommend that the host app encrypt the user data before sharing it with miniapps. The decryption keys should be provided directly to miniapp owners through secure, private communication channels, ensuring that the data can only be decrypted by the miniapp’s system. This approach minimizes security risks related to user data. For encryption, we suggest using AES-256, which is a robust and widely recognized encryption algorithm suitable for this purpose.

Request signaturing

Boxo Connect and Boxo Payments features enable server-to-server communication, facilitating seamless integration and interaction between applications and the Boxo platform. To ensure the integrity and security of the data exchanged between servers, request signing is employed as a critical mechanism. This process verifies that the data has not been tampered with during transmission and ensures secure interactions between systems.

What is Request Signaturing

Request signing is a cryptographic process where a unique signature is attached to an HTTP request before it is transmitted. This signature is generated using a private key, known only to the sender, and can be verified by the recipient using the corresponding public key. This process ensures the authenticity of the sender and guarantees that the data has not been tampered with during transmission, providing both authentication and data integrity.

Why Request Signaturing is Essential

  1. Authentication:

    • Connect Feature: In Boxo Connect, servers interact to share user data and trigger specific actions. Request signaturing ensures that only authenticated servers can initiate requests, preventing unauthorized access and potential security breaches.

    • Payments Feature: For Boxo Payments, where financial transactions are involved, authentication becomes paramount. Request signaturing adds an extra layer of security, guaranteeing that payment requests originate from trusted sources.

  2. Integrity:

    • Connect Feature: To maintain the integrity of data exchanged between servers in the Boxo Connect feature, request signaturing prevents data tampering during transit. This is vital for ensuring that the received data is exactly as intended by the sender.

    • Payments Feature: In financial transactions, even the slightest alteration of data can have significant consequences. Request signaturing safeguards the integrity of payment requests, ensuring that the transaction details remain unchanged.

  3. Non-Repudiation:

    • Request signaturing enables non-repudiation, meaning that the sender cannot deny having initiated a particular request. This is crucial for accountability and auditing purposes, especially when dealing with sensitive user data and financial transactions.

  4. Secure Communication:

    • By implementing request signaturing, Boxo ensures that communication between servers is conducted over a secure channel. This is fundamental for protecting user privacy, maintaining trust, and complying with security best practices.

How to Implement Request Signaturing

  • To implement request signaturing with Boxo Connect and Boxo Payments features, developers need to follow the provided guidelines and use the cryptographic libraries or tools recommended by Boxo.

  • Private keys for signaturing should be securely stored and never shared publicly. Public keys are used by Boxo to verify the authenticity of incoming requests.