Authentication & Security
Security is a core requirement of every YAPU API integration. This page provides an overview of how YAPU APIs handle authentication and encryption.
Specific credentials, tokens, and environment URLs are never published in this portal. They are provided securely by your YAPU contact during the onboarding and specification phase.
Authentication method
YAPU APIs use Bearer token / API key authentication. Each request must include a valid authentication token in the request header.
The exact header format and token structure are defined in the technical API documentation provided by YAPU during the specification phase.
:::warning Credential security Your API key carries significant privileges. Handle it with care:
- Never share your API key in publicly accessible areas such as GitHub, client-side code, or documentation.
- Never hardcode credentials in your application source code.
- Never commit credentials to version control systems.
- Store tokens securely using environment variables or a secrets management system.
- Rotate credentials immediately if they are accidentally exposed.
To obtain or change your API key, contact your YAPU administrator. :::
Security architecture
| Layer | Mechanism | Notes |
|---|---|---|
| Transport encryption | TLS | TLS 1.2 minimum; TLS 1.3 preferred |
| Payload encryption | RSA (optional) | Available as an additional layer beyond TLS for sensitive payloads |
| Data at rest | AES-256 | All stored request/response data encrypted at rest |
| Protocol enforcement | HTTPS only | Plain HTTP requests receive a 301 Moved Permanently redirect |
| Audit logging | Server-side | All requests logged; anomaly detection active on usage patterns |
:::note RSA payload encryption RSA payload encryption is an optional layer beyond TLS. Whether it is required for your integration will be communicated by your YAPU onboarding specialist. :::
HTTPS enforcement
All communication with YAPU APIs must use HTTPS. This is enforced at the infrastructure level — plain HTTP requests receive a 301 Moved Permanently redirect and are not processed.
Security best practices
Follow these practices throughout your integration:
| Practice | Guidance |
|---|---|
| Use environment variables | Store all credentials in environment variables, never in code |
| Limit access | Only the systems that need API access should have credentials |
| Use staging credentials separately | Staging and production credentials are different — never mix them |
| Monitor for unauthorized access | Log and alert on unexpected authentication failures |
| Request only what you need | Only call the API endpoints relevant to your integration bundle |
Credential lifecycle
- Credentials are issued by YAPU during the specification and onboarding phase.
- Credentials for staging and production environments are separate.
- If you suspect a credential has been compromised, contact your YAPU representative immediately.
Summary
| Security element | Implementation |
|---|---|
| Authentication | Bearer token / API key |
| Encryption | RSA |
| Transport | HTTPS (enforced — no HTTP) |
| Credential management | Provided by YAPU during onboarding |
| Public credential exposure | Never — not published in this portal |