API Security Best Practices
Protect your API keys, webhook endpoints, and integrations with proper authentication, encryption, and monitoring.
API Security Best Practices
IPTVbp integrates with payment gateways, IPTV panels, Discord, and other services via APIs. Each integration involves sensitive credentials that must be handled carefully. This guide covers best practices for API security.
Understanding API Keys
An API key is like a password for machine-to-machine communication. IPTVbp uses several types:
| Key Type | Used For | Where Stored |
|---|---|---|
| Stripe Secret Key | Processing payments | IPTVbp encrypted settings |
| Stripe Webhook Secret | Verifying webhook signatures | IPTVbp encrypted settings |
| PayPal Client Secret | PayPal payments | IPTVbp encrypted settings |
| Panel API Credentials | IPTV panel provisioning | IPTVbp encrypted settings |
| Discord Bot Token | Discord integration | IPTVbp encrypted settings |
| NOWPayments API Key | Crypto payments | IPTVbp encrypted settings |
Rule 1: Never Expose Keys in Code or Logs
- Do not hardcode API keys in source code.
- Do not paste keys in chat messages, emails, or support tickets.
- Do not log full API keys. If you must log something, show only the last 4 characters (e.g.
sk_live_...a4b2). - Do not commit
.envfiles to version control. Add.envto your.gitignore.
Rule 2: Use Environment Variables
Store all sensitive credentials in environment variables:
# .env file (never committed to git)
STRIPE_SECRET_KEY=sk_live_...
STRIPE_WEBHOOK_SECRET=whsec_...
PANEL_API_PASSWORD=...
IPTVbp reads these from the server environment. If you are self-hosting, ensure the .env file has restricted permissions:
chmod 600 .env
chown www-data:www-data .env
Rule 3: Rotate Keys Regularly
Set a rotation schedule:
| Key Type | Rotation Frequency | How to Rotate |
|---|---|---|
| Stripe keys | Every 12 months | Generate new keys in Stripe Dashboard, update in IPTVbp |
| Panel credentials | Every 6 months | Change password in panel, update in IPTVbp |
| Discord bot token | Every 12 months | Regenerate in Discord Developer Portal |
| NOWPayments key | Every 12 months | Generate new key in NOWPayments |
After rotation, test all integrations to confirm they work with the new keys.
Rule 4: Verify Webhook Signatures
Webhooks are HTTP requests sent by external services (Stripe, PayPal) to your server. Without verification, an attacker could send fake webhook events to manipulate your system.
IPTVbp automatically verifies webhook signatures for all supported gateways:
- Stripe: Uses the
stripe-signatureheader and your webhook signing secret to verify authenticity. - PayPal: Verifies the webhook ID and transmission signature.
- NOWPayments: Validates the HMAC signature using your IPN secret.
Never disable webhook signature verification. If you are building a custom integration, always validate signatures before processing events.
Rule 5: Use HTTPS Everywhere
All communication between IPTVbp and external services must use HTTPS:
- Panel URLs should use
https://when possible (especially NXT Dashboard). - Webhook endpoints must be HTTPS (Stripe and PayPal require this).
- Your store custom domain must have a valid SSL certificate (IPTVbp provisions this automatically via Let's Encrypt).
If your IPTV panel does not support HTTPS natively, put it behind an Nginx reverse proxy with SSL.
Rule 6: Restrict API Access by IP
When possible, restrict which IP addresses can use your API credentials:
- Stripe: Use Stripe's restricted keys to limit access to specific API methods.
- IPTV Panel: Configure your panel's firewall to only accept API requests from the IPTVbp server IP.
- Discord: Bot tokens cannot be IP-restricted, so protect them with other measures.
In IPTVbp, you can set up an IP allowlist for the vendor dashboard (see Account Security guide).
Rule 7: Use Least-Privilege Access
Only grant the minimum permissions needed:
- Panel API tokens (NXT): Only grant Create Users, Manage Subscriptions, View Packages -- not full admin access.
- Stripe restricted keys: Create keys that can only manage customers and subscriptions, not read financial reports.
- Staff accounts: Assign the narrowest role that allows the staff member to do their job.
Rule 8: Monitor for Anomalies
Watch for unusual API activity:
- Sudden spike in API requests (possible credential leak).
- Requests from unexpected IP addresses.
- Failed authentication attempts.
- Webhook deliveries from unknown sources.
IPTVbp logs all API activity. Review the Audit Log and Error Logs regularly.
Incident Response
If you suspect an API key has been compromised:
- Revoke the compromised key immediately in the service's dashboard.
- Generate a new key and update it in IPTVbp.
- Review logs for any actions taken with the compromised key.
- Check for unauthorised changes: new users created, subscriptions modified, refunds processed.
- Reverse any unauthorised actions (delete fake accounts, reverse fake refunds).
- Investigate the leak: check git history, chat logs, email for exposed keys.
Encryption at Rest
IPTVbp encrypts sensitive configuration data (API keys, panel credentials) at rest in the database using AES-256 encryption. The encryption key is stored separately from the database. This means:
- A database backup alone cannot reveal your API keys.
- Even database admin access does not expose credentials without the encryption key.
- Keys are only decrypted in memory when needed for API calls.
Related Articles
Account Security & 2FA
Protect your account with two-factor authentication.
Account Security and Two-Factor Authentication
Protect your vendor account and customer data with strong passwords, 2FA, session management, and access controls.
Automated Billing and Provisioning
How IPTVbp automates the entire subscription lifecycle from purchase to provisioning, renewal, suspension, and cancellation.