Security

Security is a top priority at Merchrocket and so is the security of our API. We have designed our API to be secure and easy to use by taking a number of important steps, which are described below:

Connecting to the Merchrocket API

To access the Merchrocket API, you need to establish an HTTPS connection with at least TLS 1.2. Authentication is performed using API-Keys that follow industry best practices.

End-to-end security is provided at the transport layer by the HTTPS request, so there is no need to encrypt the data separately. We only support TLS 1.2 or higher, connections with lower versions are not allowed.

HTTPS protects against packet sniffing, timing and replay attacks. By using HTTPS, all data exchanged between Merchrocket and the merchant is shielded and verified as authentic. HTTPS includes hash signatures, nonces and other proven cryptographic protections.

To prevent man-in-the-middle attacks, we verify the HTTPS certificate used on https://app.merchrocket.shop/. If a client detects a forged certificate, such as one from a compromised DNS server, the connection will not be made.

Sensitive Information

All sensitive information entered by your customers on our platform is stored securely using industry-standard encryption protocols and robust access controls, supported by the security infrastructure provided by Amazon AWS.

What about webhooks?

The Merchrocket webhooks are designed to prioritise security by only sending essential information such as IDs and, if available, a status to your server. These signals indicate that an update is available for retrieval from the Merchrocket API. You are then responsible for retrieving the relevant object to access the updated details.

For added security, you have the option to define a secret key, which is then hashed to validate the data and ensure its integrity.

As all API calls are made over HTTPS, the above security measures remain fully effective.