Skip to main content

Security controls in place

Paylead is implementing a subset of mechanisms to ensure safe implementation and use of its APIs.
Paylead enforce use of cryptography with strong algorithms and parameters.
  • In transit. All API endpoints and Webhooks use TLS 1.2 or higher with secured ciphersuites.
  • At rest. Paylead encrypts stored data with industry-standard cryptography.
Program Managers interact with Paylead either through the Shift web portal, or directly with the Paylead API.
  • Role-based access is enforced on Shift Portal. Refer to Sign in and users for more information on available roles.
  • When resources are requested through API, the application backend enforce authorization check prior to process the operation.
While Paylead is implementing Single Sign-On (SSO) authentication for most of its web portals, password-based authentication may be used on the Shift portal (while not recommended).Minimal password requirement are enforced, as follow:
  • minimal lengh of 14 characters
  • at least 4 type of characters (uppercase, lowercase, digit, special)
  • password must not includes the username
While Paylead APIs are stateless, mechanisms are implemented to control duration of validity of user sessions.
  • When authenticated with SSO, active session are handled by the IDP server and remains valid during 30 minutes.
  • In password-based authentication mode, all calls performed from the Shift web portal are authenticated with authorization http header. JWT bearer tokens remains valid during 8 hours.
NB: On SSO mode, the session duration may be updated upon request. Contact your Paylead account manager.
  • APIs are filtered with a Web Application Firewall and Rate limits are implemented.
  • Security headers baseline is enforce on every API endpoints. Web interfaces enforce Content-Security-Policy as well.
  • The Google Recaptcha solution is implemented on web interfaces with password-based authentication.
Webhooks carry an HMAC-SHA256 signature so your back-office can verify each event was emitted by Paylead. Each event also carries an event_id to enable idempotent processing on your side.

Report a vulnerability

At Paylead, we are eager to protect our customers data and ensure the security of our services at all times. We are deeply grateful to researchers and our community who report issues so that we can coordinate a fix and responsible disclosure. All reports are thoroughly investigated internally. If you would like to report a potential weakness, you can contact us at the following address: vulnerabilities@paylead.fr You may encrypt your report to this list using the GPG key of Security team. Encryption using GPG is NOT required to make a disclosure.
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGlBNlABEADjWb4lz5N7qAqKRdS72EFvuJ8+tiVz6L9J1TTCdPIQmZy+qaZD
thp+i5LVAXcFNiK5h+qkZSGdpof0mShvQtaYCPRtMI+YjS+yvKh2VzjdAAPQnjEi
fJMWGBCIhgTkMCt0iDF2Zm2P4F1ZLO0eSOw3qKhvHCSojfMhCYH+qFoRmXIGujQt
lnbl9QUAlIIErmxylTiNGVylNUAqUEFBVYVeWc1oAteDkAtOYrghcw94ZxlSeR7x
ZzPP7Yk0/SAFF2o8MqzWGL5wMZqqPMg2mxR91eDGKYSQzYtJ8u4H6uuwkXm/S264
Id7bsx95lChJozmkssRRtBW4KD2tKxNRBu+CHwWzc8p/ddCQn46+/vbJcUWSqJz2
AO3tFkrKqObGJdI8xgtjrt8tVzsQpytz2ldHO2PjQpLgak1sH+kx6AUc/cnLAzVu
qkccdRujEimW6UxKEa3e2tPUoru4MrDDDvBxPwJovdvZyWnx+2V7yIMkrcsnEfwF
JdALxDVaCEbyT5e9QrXSpj/sEj1j2ooo+9CXafcptm5jwY8o13yFey31tY63IPF3
Oj34gKueH+vTxuY82wRXoDC5wvZ9bKiCwI/hGK17FRnW86auu+ZXMnt83rHrj23T
Ljn4MsqvrhsLoL+hvY7hMRt3TjORyphAKa0RQoN1IAuzkksmrcJPOryxLwARAQAB
tCtQYXlsZWFkIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QHBheWxlYWQuZnI+iQJU
BBMBCAA+FiEE0T34aTGjA/3yxnAjTsth9YkCwMMFAmlBNlACGwMFCQetrC0FCwkI
BwIGFQoJCAsCBBYCAwECHgECF4AACgkQTsth9YkCwMPosA//SYdUFG4tj4gQk4ZX
4ymPz7JeF/XeIJLDzkVMIYNWgE+jEZP1FQKSPqyWctZMNipYal8Q+G5TJ0iJAIre
gNZIYC668faz/4+yZD6a/or+rd+jVyN8BXW8vXvi4waWGDmlq1lt3MErdi1tVwLS
RGGgL8EjBwhkNbo7o89doHBqx04mMQ3AaLso4ucd3x4/9hQ+y5/BLIzhRRsQQL07
JMGcCReM6pVjc+JQGdwgZlZuD1F2NbVJbm+1uB3DCv7bZZhCwHk+swBjrS4ky2Jn
mV/I3VvrSG0Q9SyTHIbLRYVNwkiQR2AlaGPw/aeaExSAUgPbkqGaRguR81XQzDx4
tzWpQ2fk+WVfAYzM+K19qEV3bsZNpiN2GqF3u0Jiqs563K1qqP44yHfPxVYbTjqD
o8kvelJVNmBu5rYiKBH7fUlsUYwg/yEfYv/TRacYhb3NMzspRdnn0yiwng9b9BhY
lxeRKjK7y3klAafom3xrrLqGamj4zyxVK3rFrRYqJ9EQBOzZM+3XFUNk46/DawEv
e8wGWLZbiEwpnA3m8Z226+AJTzlo5ysbQY/nGz2NIHISpqg/eUfVQPcwxX5gzUHr
3Ta6OXgsRboXZaqlRY7HUkaSdXpGId0xDnkAMy0aag7A6/8HZ2rUitCFVNqotWAJ
kxbnxmMS7Z9QSEtnnYMIrpiLfXm5Ag0EaUE2UAEQAMQ9SDd9LLghxVftekuamIZC
NJOjrMnh7gyxDjKzH1QK8U1sfVfFVisorHixfkNhiFNjWbUE5QSXH0UWIEp6KA2C
lSyqv4tNcrUSzHIzGfLgVU+kZw7Ogdc4mA8b0cQ6M5ViUB9+4/9/2ltCew6JIl0w
/wnfQzQvuOO+1X7ZMhLbLBjNY3j1OXprBdq9j7ge3qloyRQedrTIxK2+SE2NcmsY
HHyXiudtVfNSPSX1vzxdbmQCYsIyiFjwRe4oMboJ6AobxjuQ6x0BzhtQTjYGI5T7
ljy7yYER7XI/pVQRCJk23OPuWh41jAV2X658Uk6NFr9yOaCXUdUwx1uWzwRC8gzt
WczHVwGCNZl0AmdFE9dBBbEMJDm4VkuoaGu4CMIuVS7YDFX3K90oA8EcGmR4LAVe
k+OoQuDaBovdcCkpNJi+9VYS+UFigNVaVMPbYirSWegz7ZG1TgpP5h3z/qo6q3wn
2Wc8WC2F/VbxTthetyMBFi+grrMojpGRzws8zgbda+PZu9SiCLl+T2vtZDuOHJda
lEDa3CncqONwhNopoaWMob/FoGSbxs17M60JgePuKQ0ys0zCZxEdzD+RHbu+6d8g
dg2nXM0o+xmteMduiMP4irzKJVHY7nNjH+UZ1uiDonI7v41rBEwk03Qh7yR4dLv7
wo6+1FMPwmC7LkcqFLuJABEBAAGJAjwEGAEIACYWIQTRPfhpMaMD/fLGcCNOy2H1
iQLAwwUCaUE2UAIbDAUJB62sLQAKCRBOy2H1iQLAwwmzD/0aYKKlumJYn8qaTatC
tYKdGrTYSRIuQeswyhcgvlUOYB9qhdx31klB5VittFrO48mgABJQqtmRavwIMj09
vrEONu0kPrabdf90/c5rKowqHDrBIVVeOtmFvn2AM4WVTDdL5vCkLJFrW//pMCcI
2vEW2Qs6f/D316sBu5RG/xwjTTUTlmPNZbVL1aeCyqDJaSC/U1L0/87yfw0zNc9j
I/y9J5fSPVrTDqDw2TZe/9QmWLH8KvJSQFFQmcHFXc1J/zhBFvdXFjDYEfDGGBVI
qL9ROkIHwduUZuRvXNpmOvunaoxyZzUWCvQPO5vqdKFZtauZxq0EZi2O4TWkgcUn
sxC5R6bFZuLU9QRsnfhRoWLrrQX6X68NXSRlF+OjKfp2c3yRvabMsvkfbvYrp3fR
iAqqrB7yC58Afw8JRZLsgVYO29HvOjo7mNnOabxGf7UKmQhMEkxzBHNYCIYRvkry
leMD0lhezPi208X/T6zMyYEP3QIbtm3wiSUBeJH8+rl9WXM7ZZnJIal+ey1Uqu0I
gMGVgSZbDav5lHxme6i7zkB3eccY7Qj7MVxKXVfx7Mz5U+SOm7G2LyL3vXgab09p
Ar9sX4eUd6vj+Dhnzj0KI93zOF/uOHpmPwMhU0ne6KwqdNMBmk5y+l1fht6JPLmW
XBgyXarBYA86tOj5vzaWCuNALg==
=TpIO
-----END PGP PUBLIC KEY BLOCK-----
You should use this mailing-list if:
  • You think you discovered a potential security vulnerability in Paylead’s APIs or services
  • You are unsure how a vulnerability affects Paylead’s APIs or services
  • You think you discovered a vulnerability in another project that Paylead may depends on

What’s next

API reference

Browse the Program API endpoints and download the OpenAPI specs.

WebApp (MFP)

Embed the Paylead WebApp inside your bank mobile app.