Security Considerations
Understanding the Cybrid Platform security requirements and strong recommendations.
Access Tokens
Required
While it's convenient to use a bank token with all authorization scopes, this approach opens up the possibility of executing API requests on the wrong customer in the Cybrid Platform.
It is a security requirement that you generate customer-scoped access tokens for the customer-based API requests in order to scope the API request for that customer only.
For example, when executing a trade for a customer, it's critical that a customer-scoped access token is used for this API request instead of a bank token.
Creating customer tokens can easily be done via the POST /api/customer_tokens endpoint in the Identity API.
Access to resources through the Cybrid API is granted via an Authorization Scope system. Read more about scopes in How to Authenticate to the API.
Strongly Recommended
When creating customer-scoped access tokens we highly recommend taking a least privilege approach when specifying authorization scopes.
For example, if you're simply retrieving information such as trades for a customer, a customer-scoped access token with only the read scope would be the least restrictive while still providing access to the information.
API Credentials
Required
It can be quick and convenient to just embed client ID's or secrets in your code repo, but this increases the risk that those keys are compromised.
It is a security requirement that you ensure that the client ID and client secret are stored server side.
Strongly Recommended
- Make the Client ID and Client Secret available via environment variables in your build environment, either as an output of your build pipeline, or using a secrets manager such as the AWS Secrets Manager if you're deploying on AWS.
- Store the keys in an encrypted fashion, instead of plain text. This reduces the risk of a key easily being copied and used.
- Restrict access to the Client ID and Secret to only certain people who must have access for the purposes of configuring the deployment / environment.
Customer Authentication
Required
It is a security requirement that you implement multi-factor authentication on customer account creation.
It is a security requirement that you implement multi-factor authentication on all customer transactions.
Strongly Recommended
- Verify the customer's email address on account creation.
- Implement multi-factor authentication on subsequent logins after account creation.
Updated 3 months ago