Security

Built on trust, verified by design

PayFence is designed so that your API traffic stays secure, your data stays private, and every access decision is auditable. Here is exactly how we do it.

HMAC Verified

Every proxied request is signed

Origin Hidden

Agents never see your real URL

Zero Body Storage

Only metadata is processed

Full Audit Trail

Every decision is logged

HMAC Signature Verification

Every request that PayFence forwards to your origin in proxy mode carries an HMAC-SHA256 signature in the X-PayFence-Signature header. The signature is computed over the request method, path, timestamp, and a shared secret that only you and PayFence know.

Your origin verifies this signature before processing any request. If the signature is missing, expired, or invalid, your origin rejects the request immediately. This means that even if someone discovers your origin URL, they cannot make valid requests without the shared secret.

The signature includes a timestamp to prevent replay attacks. Requests older than 5 minutes are automatically rejected. You can configure this window in the dashboard.

Signature Verification Flow

PayFence computes:

HMAC-SHA256(secret, method + path + timestamp)

Header added to request:

X-PayFence-Signature: sha256=a1b2c3d4...

X-PayFence-Timestamp: 1706745600

Your origin verifies:

Recompute HMAC → Compare → Accept / Reject

Origin Protection Model

Agent→Your OriginBLOCKED

Direct access rejected — no valid HMAC signature

Agent→PayFence→OriginALLOWED

Valid token + HMAC signature → request proceeds

Origin Protection

In proxy mode, your origin URL is never exposed to consumers. Agents only know the PayFence gateway URL. Even if an attacker discovers your real origin through DNS enumeration or other means, they cannot make valid requests because your origin rejects anything without a valid HMAC signature.

For additional protection, you can restrict your origin's firewall to only accept connections from PayFence's IP ranges. We publish a static list of IP addresses that you can whitelist, ensuring that your origin is truly unreachable from anywhere else on the internet.

In middleware mode, your origin is publicly accessible, but every request is validated against PayFence before processing. Your server calls our authorization endpoint and only proceeds if the token is valid and quota is available.

Data Privacy

PayFence is built on a fundamental principle: we never store request or response bodies. When a request flows through our proxy, the body is forwarded to your origin in a streaming fashion. We never buffer, log, or cache it.

The only data we process is metadata: the HTTP method, request path, API token, and our authorization decision (allow or deny). This metadata is stored for billing, analytics, and audit purposes. Response bodies flow directly from your origin to the consumer without PayFence inspection.

This design means PayFence is safe for sensitive data flows. Whether your API handles personal information, financial data, or proprietary content, the data itself never touches our storage systems.

What we store (metadata only)

✓HTTP method (GET, POST, etc.)

✓Request path (/v1/flights)

✓API token identifier

✓Authorization decision (allow / deny)

✓Timestamp and response time

✓Plan and remaining quota

What we never store

✕Request body / payload

✕Response body / payload

✕Query parameter values

✕Authorization header values

✕IP addresses of end users

✕Cookies or session data

audit log

{
  "id": "log_8f2a1b3c",
  "timestamp": "2025-01-31T14:22:08Z",
  "site_id": "site_travel_api",
  "token_id": "tok_abc123",
  "plan": "pro",
  "method": "GET",
  "path": "/v1/flights",
  "decision": "allow",
  "remaining": 94521,
  "latency_ms": 12,
  "mode": "proxy"
}

{
  "id": "log_9d4e5f6a",
  "timestamp": "2025-01-31T14:22:09Z",
  "site_id": "site_travel_api",
  "token_id": "tok_xyz789",
  "plan": "starter",
  "method": "GET",
  "path": "/v1/hotels",
  "decision": "deny",
  "reason": "quota_exceeded",
  "remaining": 0,
  "mode": "proxy"
}

Audit & Logs

Every request that flows through PayFence is logged with a structured audit record. Each record includes the timestamp, token identifier, plan, HTTP method, path, authorization decision, and remaining quota.

Audit logs are available in real-time through the dashboard and can be exported via the API. You can filter by token, plan, decision type, time range, or path pattern. This gives you full visibility into who is accessing your API, how often, and whether they are hitting quota limits.

For compliance requirements, audit logs are retained for 90 days on all plans. Growth and Scale plans include extended retention and the ability to stream logs to your own infrastructure via webhook or S3-compatible storage.

Ready to monetize your API?

Join the first wave of API builders using PayFence.

Or book a demo