> ## Documentation Index
> Fetch the complete documentation index at: https://docs.paylead.fr/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> How Paylead enforce security mechanisms to ensure safe use of its API.

## Security controls in place

Paylead is implementing a subset of mechanisms to ensure safe implementation and use of its APIs.

<AccordionGroup>
  <Accordion title="Encryption">
    Paylead enforce use of cryptography with strong algorithms and parameters.

    * **In transit.** All API endpoints and Webhooks use TLS 1.2 or higher with secured ciphersuites.
    * **At rest.** Paylead encrypts stored data with industry-standard cryptography.
  </Accordion>

  <Accordion title="Authentication & Access control">
    Program Managers interact with Paylead either through the [Shift](/glossary#shift) web portal, or directly with the Paylead [API](/program/user-journey/quickstart).

    * Role-based access is enforced on Shift Portal. Refer to [Sign in and users](/program/shift/sign-in-and-users#manage-users) for more information on available roles.
    * When resources are requested through API, the application backend enforce authorization check prior to process the operation.
  </Accordion>

  <Accordion title="Password policy">
    While Paylead is implementing Single Sign-On (SSO) authentication for most of its web portals, password-based authentication may be used on the Shift portal (while not recommended).

    Minimal password requirement are enforced, as follow:

    * minimal lengh of 14 characters
    * at least 4 type of characters (uppercase, lowercase, digit, special)
    * password must not includes the username
  </Accordion>

  <Accordion title="User session duration on Web interfaces">
    While Paylead APIs are stateless, mechanisms are implemented to control duration of validity of user sessions.

    * When authenticated with SSO, active session are handled by the IDP server and remains valid during 30 minutes.
    * In password-based authentication mode, all calls performed from the Shift web portal are authenticated with authorization http header. JWT bearer tokens remains valid during 8 hours.

    **NB:** *On SSO mode, the session duration may be updated upon request. Contact your Paylead account manager.*
  </Accordion>

  <Accordion title="Protection against web threats">
    * APIs are filtered with a Web Application Firewall and [Rate limits](/program/user-journey/rate-limits) are implemented.
    * Security headers baseline is enforce on every API endpoints. Web interfaces enforce Content-Security-Policy as well.
    * The [Google Recaptcha](https://docs.cloud.google.com/recaptcha) solution is implemented on web interfaces with password-based authentication.
  </Accordion>

  <Accordion title="Webhook integrity">
    [Webhooks](/program/user-journey/concepts/webhooks) carry an HMAC-SHA256 signature so your back-office can verify each event was emitted by Paylead. Each event also carries an `event_id` to enable idempotent processing on your side.
  </Accordion>
</AccordionGroup>

## Report a vulnerability

At Paylead, we are eager to protect our customers data and ensure the security of our services at all times.

We are deeply grateful to researchers and our community who report issues so that we can coordinate a fix and responsible disclosure. All reports are thoroughly investigated internally.

If you would like to report a potential weakness, you can contact us at the following address: [vulnerabilities@paylead.fr](mailto:vulnerabilities@paylead.fr)

You may encrypt your report to this list using the **GPG key** of Security team.

Encryption using GPG is **NOT** required to make a disclosure.

<AccordionGroup>
  <Accordion title="GPG key">
    ```
    -----BEGIN PGP PUBLIC KEY BLOCK-----

    mQINBGlBNlABEADjWb4lz5N7qAqKRdS72EFvuJ8+tiVz6L9J1TTCdPIQmZy+qaZD
    thp+i5LVAXcFNiK5h+qkZSGdpof0mShvQtaYCPRtMI+YjS+yvKh2VzjdAAPQnjEi
    fJMWGBCIhgTkMCt0iDF2Zm2P4F1ZLO0eSOw3qKhvHCSojfMhCYH+qFoRmXIGujQt
    lnbl9QUAlIIErmxylTiNGVylNUAqUEFBVYVeWc1oAteDkAtOYrghcw94ZxlSeR7x
    ZzPP7Yk0/SAFF2o8MqzWGL5wMZqqPMg2mxR91eDGKYSQzYtJ8u4H6uuwkXm/S264
    Id7bsx95lChJozmkssRRtBW4KD2tKxNRBu+CHwWzc8p/ddCQn46+/vbJcUWSqJz2
    AO3tFkrKqObGJdI8xgtjrt8tVzsQpytz2ldHO2PjQpLgak1sH+kx6AUc/cnLAzVu
    qkccdRujEimW6UxKEa3e2tPUoru4MrDDDvBxPwJovdvZyWnx+2V7yIMkrcsnEfwF
    JdALxDVaCEbyT5e9QrXSpj/sEj1j2ooo+9CXafcptm5jwY8o13yFey31tY63IPF3
    Oj34gKueH+vTxuY82wRXoDC5wvZ9bKiCwI/hGK17FRnW86auu+ZXMnt83rHrj23T
    Ljn4MsqvrhsLoL+hvY7hMRt3TjORyphAKa0RQoN1IAuzkksmrcJPOryxLwARAQAB
    tCtQYXlsZWFkIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QHBheWxlYWQuZnI+iQJU
    BBMBCAA+FiEE0T34aTGjA/3yxnAjTsth9YkCwMMFAmlBNlACGwMFCQetrC0FCwkI
    BwIGFQoJCAsCBBYCAwECHgECF4AACgkQTsth9YkCwMPosA//SYdUFG4tj4gQk4ZX
    4ymPz7JeF/XeIJLDzkVMIYNWgE+jEZP1FQKSPqyWctZMNipYal8Q+G5TJ0iJAIre
    gNZIYC668faz/4+yZD6a/or+rd+jVyN8BXW8vXvi4waWGDmlq1lt3MErdi1tVwLS
    RGGgL8EjBwhkNbo7o89doHBqx04mMQ3AaLso4ucd3x4/9hQ+y5/BLIzhRRsQQL07
    JMGcCReM6pVjc+JQGdwgZlZuD1F2NbVJbm+1uB3DCv7bZZhCwHk+swBjrS4ky2Jn
    mV/I3VvrSG0Q9SyTHIbLRYVNwkiQR2AlaGPw/aeaExSAUgPbkqGaRguR81XQzDx4
    tzWpQ2fk+WVfAYzM+K19qEV3bsZNpiN2GqF3u0Jiqs563K1qqP44yHfPxVYbTjqD
    o8kvelJVNmBu5rYiKBH7fUlsUYwg/yEfYv/TRacYhb3NMzspRdnn0yiwng9b9BhY
    lxeRKjK7y3klAafom3xrrLqGamj4zyxVK3rFrRYqJ9EQBOzZM+3XFUNk46/DawEv
    e8wGWLZbiEwpnA3m8Z226+AJTzlo5ysbQY/nGz2NIHISpqg/eUfVQPcwxX5gzUHr
    3Ta6OXgsRboXZaqlRY7HUkaSdXpGId0xDnkAMy0aag7A6/8HZ2rUitCFVNqotWAJ
    kxbnxmMS7Z9QSEtnnYMIrpiLfXm5Ag0EaUE2UAEQAMQ9SDd9LLghxVftekuamIZC
    NJOjrMnh7gyxDjKzH1QK8U1sfVfFVisorHixfkNhiFNjWbUE5QSXH0UWIEp6KA2C
    lSyqv4tNcrUSzHIzGfLgVU+kZw7Ogdc4mA8b0cQ6M5ViUB9+4/9/2ltCew6JIl0w
    /wnfQzQvuOO+1X7ZMhLbLBjNY3j1OXprBdq9j7ge3qloyRQedrTIxK2+SE2NcmsY
    HHyXiudtVfNSPSX1vzxdbmQCYsIyiFjwRe4oMboJ6AobxjuQ6x0BzhtQTjYGI5T7
    ljy7yYER7XI/pVQRCJk23OPuWh41jAV2X658Uk6NFr9yOaCXUdUwx1uWzwRC8gzt
    WczHVwGCNZl0AmdFE9dBBbEMJDm4VkuoaGu4CMIuVS7YDFX3K90oA8EcGmR4LAVe
    k+OoQuDaBovdcCkpNJi+9VYS+UFigNVaVMPbYirSWegz7ZG1TgpP5h3z/qo6q3wn
    2Wc8WC2F/VbxTthetyMBFi+grrMojpGRzws8zgbda+PZu9SiCLl+T2vtZDuOHJda
    lEDa3CncqONwhNopoaWMob/FoGSbxs17M60JgePuKQ0ys0zCZxEdzD+RHbu+6d8g
    dg2nXM0o+xmteMduiMP4irzKJVHY7nNjH+UZ1uiDonI7v41rBEwk03Qh7yR4dLv7
    wo6+1FMPwmC7LkcqFLuJABEBAAGJAjwEGAEIACYWIQTRPfhpMaMD/fLGcCNOy2H1
    iQLAwwUCaUE2UAIbDAUJB62sLQAKCRBOy2H1iQLAwwmzD/0aYKKlumJYn8qaTatC
    tYKdGrTYSRIuQeswyhcgvlUOYB9qhdx31klB5VittFrO48mgABJQqtmRavwIMj09
    vrEONu0kPrabdf90/c5rKowqHDrBIVVeOtmFvn2AM4WVTDdL5vCkLJFrW//pMCcI
    2vEW2Qs6f/D316sBu5RG/xwjTTUTlmPNZbVL1aeCyqDJaSC/U1L0/87yfw0zNc9j
    I/y9J5fSPVrTDqDw2TZe/9QmWLH8KvJSQFFQmcHFXc1J/zhBFvdXFjDYEfDGGBVI
    qL9ROkIHwduUZuRvXNpmOvunaoxyZzUWCvQPO5vqdKFZtauZxq0EZi2O4TWkgcUn
    sxC5R6bFZuLU9QRsnfhRoWLrrQX6X68NXSRlF+OjKfp2c3yRvabMsvkfbvYrp3fR
    iAqqrB7yC58Afw8JRZLsgVYO29HvOjo7mNnOabxGf7UKmQhMEkxzBHNYCIYRvkry
    leMD0lhezPi208X/T6zMyYEP3QIbtm3wiSUBeJH8+rl9WXM7ZZnJIal+ey1Uqu0I
    gMGVgSZbDav5lHxme6i7zkB3eccY7Qj7MVxKXVfx7Mz5U+SOm7G2LyL3vXgab09p
    Ar9sX4eUd6vj+Dhnzj0KI93zOF/uOHpmPwMhU0ne6KwqdNMBmk5y+l1fht6JPLmW
    XBgyXarBYA86tOj5vzaWCuNALg==
    =TpIO
    -----END PGP PUBLIC KEY BLOCK-----
    ```
  </Accordion>
</AccordionGroup>

You should use this mailing-list if:

* You think you discovered a potential security vulnerability in Paylead's APIs or services
* You are unsure how a vulnerability affects Paylead's APIs or services
* You think you discovered a vulnerability in another project that Paylead may depends on

## What's next

<CardGroup cols={2}>
  <Card title="API reference" icon="code" href="/program/api/releases">
    Browse the Program API endpoints and download the OpenAPI specs.
  </Card>

  <Card title="WebApp (MFP)" icon="smartphone" href="/program/webapp/overview">
    Embed the Paylead WebApp inside your bank mobile app.
  </Card>
</CardGroup>
