Authentication and Security

As you get set up with a terminal and move to production, you receive the following configuration information from Hyp:

1. URL and credentials (a username and a password) to access the Hyp Console. The username is usually an email address provided by you.

2. Two sets of credentials (a username and a password in each) to access Hyp's test and production APIs.

3. Base URLs to use for test and production environments.

The sets of credentials for the Hyp Console and APIs are not interchangeable: you use the Console credentials to access the Hyp Console, and the API credentials to access the Hyp APIs. Remember to store these credentials securely, and do not share them with anyone who should not have access to your Hyp account.

API authentication

Hyp uses basic credential-based API authentication. A typical request to a Hyp API endpoint includes your username and password in the request body:

curl -X POST --location "https://your-hyp-environment-url/xpo/Relay" \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d 'user=your-api-username&password=your-api-password&int_in=xml-payload'

This type of authentication requires always using HTTPS to ensure that your credentials are not exposed in transit. If you use HTTP instead of HTTPS, your credentials will be sent in plain text, which can be intercepted by attackers.

Security practices

To ensure a secure and compliant integration, make sure to implement the following security practices.

Always use HTTPS

Always use HTTPS on checkout pages that redirect to the payment pages provided by Hyp. This is critical to protect sensitive data during transactions and to prevent man-in-the-middle attacks that can occur over unsecured connections. Serving the initiating page over HTTPS also ensures a seamless user experience, as modern browsers may block or display warnings for insecure redirects.

Always use HTTPS on your backend when making API calls to Hyp. Ensure that API calls are performed over TLS 1.2 or higher. API calls over HTTP are not supported and will be rejected.

Store credentials securely

Store API credentials securely, using secret managers or environment variables. Never hardcode API credentials into your source code. Exposing credentials in code repositories, even private ones, significantly increases the risk of accidental leaks.

Ensure that API credentials are used only by server-side components and are never exposed on the frontend or in mobile applications. Design your systems to support immediate rotation of API credentials in case they are compromised.

Secure your non-production environments

Ensure that HTTPS is enabled in your non-production environments. Never bypass TLS validation by using insecure options like verify=false (in Python), --insecure (in curl), or by disabling hostname checks, even temporarily.

Clearly label and isolate test systems to prevent accidental use of production data. Use synthetic or obfuscated data instead of real customer data in non-production systems.

Exclude sensitive data from logs

If you log interactions with Hyp APIs, make sure that sensitive data, such as cardholder data and API credentials, is excluded from logs.

For more information on recommended security practices, see Payment Page Security.

Content security policy

If you integrate Hyp's payment page in an iframe, you must ensure that your content security policy (CSP) only allows loading the iframe from Hyp's servers. You should also include the frameAncestorURLs property set to your merchant website domain(s) in your payment page requests. For details, see Full-Page Redirect vs Iframe-Based Integration.

Restoring lost credentials

If you have lost or forgotten the password for the Hyp Console, please use the Console's password reset functionality. You can find the Forgot Password? (שכחתי סיסמה) link on the login page of your Hyp Console.

If you have lost or forgotten your API username or password, please contact Hyp support.

Adding more users

To add more users, please follow these steps:

• For Hyp Console access: please reach out to Hyp support for guidance on filling out the necessary details to provision additional users.

• For API access: in most cases, you can use the same set of API credentials for all your needs in a given environment. If you still require additional API credentials, please reach out to the Hyp sales team to set up another merchant account.