Whitelisting

For server-to-server calls

Boxo Payments and Boxo Connect functionalities will only work with whitelisted IP addresses. You can provide these in Dashboard miniapp settings.

Our IP addresses

We suggest to whitelist our IP addresses for all endpoints opened for Boxo Platform.

Production environment

18.136.43.253 - https://dashboard.boxo.io/

Passing encrypted user data

Boxo Connect requires the host app to share sensitive user data with miniapps. To ensure the security of this data during transfer, we recommend the following best practices:

  1. Data Encryption by Host App: Host apps should encrypt sensitive user data before sharing it with miniapps.

  2. Decryption Keys: The decryption keys should be securely shared with miniapp owners through private communication channels. This ensures that the data can only be decrypted by the miniapp system.

  3. Recommended Encryption Algorithm: For securing user data, we recommend using AES-256, one of the most secure and widely accepted encryption algorithms.

  4. Security Risk Mitigation: This approach reduces the risks associated with the transfer and decryption of sensitive user data.

For more information on data encryption, please contact the host app owners directly.

Request signaturing

Boxo Connect and Boxo Payments are powerful features that enable smooth server-to-server communication, facilitating integration and interaction between your applications and the Boxo platform. To maintain the integrity and security of the data exchanged between servers, request signing is used as a critical security mechanism.

  • Request Signing: This mechanism ensures that requests sent to the Boxo platform are authentic and secure, safeguarding against tampering or unauthorized access during data transmission.

What is Request Signaturing

Request signaturing is a cryptographic process that involves attaching a unique signature to an HTTP request before it is transmitted. This signature is generated using a private key, known only to the sender, and can be verified by the recipient using the corresponding public key. This process ensures that the sender of the request is authenticated, and the data has not been tampered with during transmission.

Why Request Signaturing is Essential

  1. Authentication:

    • Connect Feature:

      In Boxo Connect, servers interact to share user data and trigger specific actions. Request signaturing ensures that only authenticated servers can initiate requests, preventing unauthorized access and potential security breaches.

    • Payments Feature:

      For Boxo Payments, where financial transactions are involved, authentication becomes paramount. Request signaturing adds an extra layer of security, guaranteeing that payment requests originate from trusted sources.

  2. Integrity:

    • Connect Feature:

      To maintain the integrity of data exchanged between servers in the Boxo Connect feature, request signaturing prevents data tampering during transit. This is vital for ensuring that the received data is exactly as intended by the sender.

    • Payments Feature:

      In financial transactions, even the slightest alteration of data can have significant consequences. Request signaturing safeguards the integrity of payment requests, ensuring that the transaction details remain unchanged.

  3. Non-Repudiation:

    • Request signaturing enables non-repudiation, meaning that the sender cannot deny having initiated a particular request. This is crucial for accountability and auditing purposes, especially when dealing with sensitive user data and financial transactions.

  4. Secure Communication:

    • By implementing request signaturing, Boxo ensures that communication between servers is conducted over a secure channel. This is fundamental for protecting user privacy, maintaining trust, and complying with security best practices.

How to Implement Request Signaturing

  • To implement request signaturing with Boxo Connect and Boxo Payments features, developers need to follow the provided guidelines and use the cryptographic libraries or tools recommended by Boxo.

  • Private keys for signaturing should be securely stored and never shared publicly. Public keys are used by Boxo to verify the authenticity of incoming requests.