Security & Compliance

NextAPI is operated by NextPay under a license from the Bangko Sentral ng Pilipinas (BSP), the central bank of the Philippines. This page covers the security controls you interact with as an integrator.

Third-party penetration testing

NextAPI has been independently penetration tested by Secuna, the Philippines' leading cybersecurity company and bug bounty platform. Our infrastructure, API endpoints, authentication mechanisms, and webhook delivery system were assessed by their team of certified security researchers.

Secuna's assessment covered:

Authentication & authorization — credential handling, Basic Auth implementation, and session management
API endpoint security — input validation, injection vulnerabilities, and access control across all endpoints
Webhook integrity — HMAC-SHA256 signature scheme, replay attack resistance, and payload tampering
Transport security — TLS configuration, certificate handling, and cipher suite hardening
Infrastructure — Cloudflare-protected edge, rate limiting, and DDoS mitigations

We conduct periodic re-assessments as the API evolves. If you have specific security questions or need documentation for your own compliance review, contact your NextPay account manager.

Regulatory context

NextPay holds an OPS (Other Payment System) license issued by the BSP. This license authorizes NextPay to operate payment systems in the Philippines, covering fund transfers, wallet operations, and disbursements.

As a partner integrating NextAPI, your use of the API is governed by your partner agreement with NextPay, which includes compliance obligations for your own use case (e.g., KYC requirements for your merchants, transaction reporting).

Transport security (TLS)

All NextAPI endpoints are served exclusively over HTTPS with TLS 1.2 or higher. There is no HTTP fallback.

Never send credentials or request payloads over plain HTTP
Verify the server certificate in your HTTP client (this is the default for all modern clients)
Pin the certificate only if your security requirements demand it — certificate rotation can break pinned clients

Webhook signature verification (HMAC-SHA256)

When NextAPI delivers a webhook to your endpoint, it signs the payload with your webhook secret using HMAC-SHA256. Verifying this signature confirms the webhook is genuine and has not been tampered with in transit.

How it works

NextAPI computes HMAC-SHA256(webhook_secret, raw_request_body)
The signature is included in the x-nextpay-signature request header
Your endpoint independently computes the same HMAC and compares

Verification implementation

Node.js
Python

import crypto from "crypto";

function verifyWebhookSignature(rawBody, signatureHeader, webhookSecret) {
  const expected = crypto
    .createHmac("sha256", webhookSecret)
    .update(rawBody)
    .digest("hex");

  // Use timingSafeEqual to prevent timing attacks
  const expectedBuf = Buffer.from(expected, "hex");
  const receivedBuf = Buffer.from(signatureHeader, "hex");

  if (expectedBuf.length !== receivedBuf.length) return false;
  return crypto.timingSafeEqual(expectedBuf, receivedBuf);
}

// Express example
app.post("/webhooks/nextpay", express.raw({ type: "application/json" }), (req, res) => {
  const signature = req.headers["x-nextpay-signature"];
  const isValid = verifyWebhookSignature(req.body, signature, process.env.WEBHOOK_SECRET);

  if (!isValid) {
    return res.status(401).send("Invalid signature");
  }

  const event = JSON.parse(req.body);
  // Process event...
  res.status(200).send("OK");
});

import hmac
import hashlib
from flask import Flask, request

app = Flask(__name__)

def verify_webhook_signature(raw_body: bytes, signature: str, secret: str) -> bool:
    expected = hmac.new(
        secret.encode(),
        raw_body,
        hashlib.sha256,
    ).hexdigest()
    return hmac.compare_digest(expected, signature)

@app.route("/webhooks/nextpay", methods=["POST"])
def webhook():
    signature = request.headers.get("x-nextpay-signature", "")
    is_valid = verify_webhook_signature(request.data, signature, WEBHOOK_SECRET)

    if not is_valid:
        return "Invalid signature", 401

    event = request.get_json()
    # Process event...
    return "OK", 200

Important

Always read the raw request body before parsing JSON. Parsing and re-serializing changes byte ordering or whitespace, which invalidates the signature.

Critical security note

Use a constant-time comparison (e.g., crypto.timingSafeEqual in Node.js, hmac.compare_digest in Python) rather than === or ==. Standard string comparison leaks timing information that an attacker can exploit to forge valid signatures.

Credential security

Practice	Requirement
Store credentials in environment variables	Required
Call NextAPI from server-side code only	Required
Never embed credentials in client-side code	Required
Never commit credentials to version control	Required
Rotate credentials immediately if exposed	Required
Use separate sandbox and production credentials	Strongly recommended

If you suspect your Client Secret or webhook secret has been compromised, contact NextPay support to rotate credentials.

Authentication — how Basic Auth credentials are constructed and transmitted
Understanding Webhooks — webhook event types, retry logic, and payload structure
Setup Webhooks — registering your endpoint and verifying signatures

Third-party penetration testing​

Regulatory context​

Transport security (TLS)​

Webhook signature verification (HMAC-SHA256)​

How it works​

Verification implementation​

Critical security note​

Credential security​

Related​