GuidesRecipesAPI Reference
Log In
Guides
Start typing to search…

Integration security guide

A reference for securing your Super Payments integration in production.

API Key Security

Super provides two types of API key: a public key and a secret key. Only your secret key needs to be kept secure — your public key is safe to use client-side.

  • Never expose your secret key client-side. Secret keys must only be used in server-side code. They should never appear in browser JavaScript, mobile app binaries, or public repositories.
  • Use environment variables. Store your secret key in environment variables or a secrets manager - never hardcode it in source files.
  • Rotate your secret key immediately if you suspect it has been compromised. You can generate a new secret key at any time from the business portal.
  • Use your sk_test_ secret key for all sandbox testing and your sk_prod_ secret key only in production environments.

Webhook Security

Super signs every webhook request so you can verify it genuinely came from Super and hasn't been tampered with.

You must verify the webhook signature on every incoming event before processing it. Do not trigger any fulfilment, confirmation, or business logic based solely on the contents of an unverified webhook payload.

For the full signature verification steps, see the Webhooks guide.

PCI Compliance

Super's hosted payment environment is PCI DSS compliant. All sensitive cardholder data is captured and processed within Super's secure, hosted environment — your servers never handle raw card data directly.

Your PCI compliance obligations depend on your integration type:

Integration typeCardholder data handled by your serverPCI scope
Hosted PageNoSAQ A
Payment LinksNoSAQ A
EmbeddedNoSAQ A

You remain responsible for securing your own infrastructure, API keys, and webhook endpoints in line with your organisation's security policies.

Content Security Policy (CSP)

If your site enforces a Content Security Policy, add the following directives to allow Super's components to load and operate correctly.

connect-src

https://*.superpayments.com
https://api.storyblok.com
https://q4g4k4pw47biltffyqrfab7q7m0jaagm.lambda-url.ap-south-1.on.aws
https://*.sentry.io
https://web-sdk.smartlook.com
https://cdn.segment.com
https://*.seondnsresolve.com
https://api.stripe.com
https://maps.googleapis.com

script-src

https://*.superpayments.com
https://js.stripe.com
https://b.stripecdn.com
https://m.stripe.network

img-src

https://cdn.superpayments.com
https://a.storyblok.com

frame-src

https://*.js.stripe.com
https://js.stripe.com
https://hooks.stripe.com

Updated 6 days ago