Security
Overview of the security guardrails. Review email lifecycle events, token expiration rules, and mandatory authorization scopes to ensure your integration meets Ecart Pay’s safety standards.
Security & Validations
1. Authorization Scopes
| Endpoint | Required Scopes |
|---|---|
POST /api/direct-debits | write_direct_debits |
GET /api/direct-debits/:id | read_direct_debits, write_direct_debits, read_single_direct_debit |
PATCH /api/direct-debits/:id | write_direct_debits |
GET /api/direct-debits | read_direct_debits, write_direct_debits |
POST /api/direct-debits/activate | write_direct_debits, activate_single_direct_debit |
2. Ownership Verification
For every request, the system performs a mandatory check to ensure the resource being accessed belongs to the authenticated merchant account. If a direct_debit_id is provided in the authorization, it must strictly match the ID in the request path.
3. Temporal Tokens
Activation and validation links utilize temporal tokens to minimize exposure:
- Expiration: Tokens automatically expire after 24 hours.
- Scope: Tokens are restricted to specific actions related only to that unique Direct Debit resource.
- One-Time Use: Designed for single-use activation or validation flows.
4. Data Validation
- Reference Integrity: The system maintains a unique index on the 7-digit reference number to prevent duplicate charges.
- Currency Restriction: Only MXN is supported for Direct Debit transactions to comply with local banking standards.
- CLABE Validation: All 18-digit Mexican bank accounts are verified for structure and bank code validity before activation.
- Charge date validation: The next payment date must be set after the Direct Debit creation date. This means that if the merchant sets the next payment date for 21/01, then the Direct Debit must be created at least one day before.
Updated 20 days ago