How SwissPay handles security at the API layer.
At a glance
| Layer | What we do |
|---|---|
| Transport | All API traffic uses TLS 1.2 or higher. |
| Authentication | Every request requires a bearer API key. Keys are issued from the dashboard and can be rotated or revoked at any time. |
| Card data | The API never returns full PANs or CVVs. Card details supplied on a payment request are processed by our card-processing partners; only non-sensitive fields (brand, last 4, expiry month/year) are returned to you. |
| Idempotency | POST /api/v1/payments requires an Idempotency-Key header; safe to retry. |
| Tenant isolation | Object IDs from one account never resolve when queried from another — unknown IDs return 404. |
| Infrastructure | The API runs in Microsoft Azure's Switzerland North region with continuous monitoring. |
What you can read more about
- Data protection — what data we hold and how.
- Responsible disclosure — how to report a security issue.
Reporting a security concern
If you believe you have found a security vulnerability in SwissPay, please report it to security@swisspay.ai. Do not file a public issue or post on social media until we have had a chance to respond. See Responsible disclosure for the formal policy.
For a non-security operational issue, contact support@swisspay.ai.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article