# Authentication & Security Keeping your payment data and API credentials safe is our top priority. This page explains how to authenticate your API requests and covers the best practices you'll want to follow to keep your integration secure. ## API access and authentication To get started with the Hyp Pay API, you'll need these three pieces of information: 1. `Masof`: Your terminal number. 2. `KEY`: An API key that acts as a unique ID. 3. `PassP`: Your API password. You'll get these credentials from a Hyp representative or find them in your Hyp Pay account, as we've explained in [Prerequisites & Initial Setup](/pay/getting-started/prerequisites-and-initial-setup.md). Hyp uses **query string API authentication**. This means a typical request to one of our endpoints includes your API key, password, and terminal number as URL parameters. It looks something like this: {% code overflow="wrap" %} ```http https://pay.hyp.co.il/p/?action=APISign&What=SIGN&KEY=your-api-key&PassP=your-api-password&Masof=your-terminal-number ``` {% endcode %} Because your credentials are right there in the URL, you must: * **Always use HTTPS** to make sure your credentials stay encrypted while traveling over the internet. Using regular HTTP would send them in plain text, which is a big security risk. * **Only call Hyp APIs from your backend**. You should never make these API calls from a browser or a mobile app, as that would expose your credentials to anyone looking at the code. The sections below dive into more detail on how to keep your integration safe and sound. ## Security practices We keep our [payment pages very secure](/pay/security/payment-page-security.md). On your end, to keep your integration secure and compliant, we recommend following these security practices. ### Always use HTTPS Always use HTTPS on any checkout pages that send customers to a Hyp payment page. This is essential for protecting sensitive data and preventing "man-in-the-middle" attacks. Beyond security, using HTTPS also makes for a smoother user experience, since modern browsers often block or warn about insecure redirects. The same goes for your backend: always use HTTPS when talking to our API. We require **TLS 1.2 or higher** for all connections. Any API calls made over plain HTTP will be automatically rejected. ### Store credentials securely Keep your Hyp Pay account details safe and only share them with people who absolutely need them. It's worth remembering that anyone who gets into your Hyp Pay account can also see your API credentials. When it comes to your code, it's best to store API credentials in a **secret manager**. You should never hardcode them directly into your source code. Even in private repositories, hardcoded secrets are an easy way for credentials to leak accidentally. Make sure your API credentials stay on the server and never end up in frontend code or mobile apps. It's also a good idea to have a plan for **rotating your credentials** quickly if they're ever compromised. ### Secure your non-production environments Don't forget about security in your test and staging environments — HTTPS is just as important there. Avoid the temptation to skip TLS validation with "insecure" flags (like `verify=false` in Python or `--insecure` in curl) even for a quick test. It's also a smart move to keep your test systems clearly labeled and separate from production. This helps prevent mix-ups and ensures you're only using **synthetic test data** rather than real customer information in your non-production environments. ### Exclude sensitive data from logs If your server logs its interactions with the Hyp API, double-check that you're not logging sensitive info like API credentials. A good approach is to write a small helper that **masks the values** of `KEY`, `PassP`, and any customer-related parameters before they ever hit your logging system. ### Content security policy If you're embedding the Hyp Pay payment page in an **iframe** — maybe to support **Apple Pay** or **Google Pay** directly on your site — you'll want to update your **content security policy (CSP)**. By adding Hyp Pay to your `frame-src` directive, you tell the browser that it's safe to load our payment page on your website. A typical CSP header that enables loading Hyp Pay's payment pages in an iframe would look something like this: ```http Content-Security-Policy: frame-src 'self' https://pay.hyp.co.il; ``` ## Restoring lost credentials If you've forgotten your Hyp Pay account password, don't worry — you can just use the **password reset** feature. You'll find the **?שכחת סיסמה** (**Forgot Password?**) link right on the Hyp Pay login page. If you need to find your API username or password again, you can always retrieve them from your Hyp Pay account as we've described in [Prerequisites & Initial Setup](/pay/getting-started/prerequisites-and-initial-setup.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developers.hyp.co.il/pay/getting-started/authentication-security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.