Integration Update - Mandatory Security Changes
Integration Update - Mandatory Security Changes
All partners integrating using Transak’s APIs are required to implement the following security changes. These measures protect against fraud, prevent session hijacking, and ensure all API calls are traceable to a verified partner and end user.
Please complete these changes by 15th July 2026 to avoid interruption to your live integration.
Mandatory Requirements from Partners
All Transak’s APIs must be called exclusively from your backend. Share your backend’s static egress IPs with Transak to be whitelisted across both staging and production environments.
CORS Protection on APIs
If your platform exposes any API that internally calls a Transak API, you must apply CORS protection to that endpoint on your side. (i.e Your Backend For Frontend)
This ensures that calls flowing through your platform originate only from your own front-end domains, and not from arbitrary third-party browsers.
Where is it Required?
CORS protection must be applied on your APIs that internally call the following Transak APIs
Generate a secure widget URL from your backend.
Integrate Transak directly through APIs without the widget.
Why This Matters?
If an API on your side is callable from any origin, an attacker can use it to create Transak widget url that appear legitimate but carry a hijacked end user context. Origin enforcement on your side is the upstream defense that makes the infrastructure level controls effective.
User IP Header in APIs
Pass the end user’s originating IP address as observed by your backend and not your backend’s own IP, and not a proxy or CDN IP. Accepts a single valid IPv4 or IPv6 address.
If you are behind a CDN, use the client IP header it injects:
Where is it Required?
Send x-user-ip on every call to the below mentioned Transak’s APIs.
Generate a secure widget URL from your backend.
Integrate Transak directly through APIs without the widget.
Error Handling
Why This Matters?
Transak uses the end user IP to pin sessions to the originating client. If a session is replayed from a different IP, it is rejected at the infrastructure level. Without a reliable user IP signal, this protection cannot be enforced, leaving sessions vulnerable to session hijacking.
API Key Header in APIs
Pass your partner API key to all Transak’s APIs. Your API key is available in the Transak Partner Dashboard.
Where is it Required?
Send x-api-key on every call to the below mentioned Transak’s APIs.
Generate a secure widget URL from your backend.
Integrate Transak directly through APIs without the widget.
Country/currency lookup, order tracking, and other public endpoints.
Error Handling
Why This Matters?
Transak uses your API key to verify that requests are coming from your registered backend. Each partner registers a set of static egress IPs with Transak and any request from an unrecognised IP is blocked, even if the API key is valid. This ensures your integration cannot be spoofed from outside your own infrastructure.
Mandatory Checklist
To finalize these security changes, every partner must complete the mandatory partner checklist. It collects the details Transak needs to secure and verify your integration — including your backend’s static egress IPs to be whitelisted, and confirmation that you have implemented CORS protection, the x-user-ip header, and the x-api-key header on every call. Submitting the checklist before the deadline ensures your live integration continues without interruption.