Integration Update - Mandatory Security Changes | Transak

All partners integrating using Transak’s APIs are required to implement the following security changes. These measures protect against fraud, prevent session hijacking, and ensure all API calls are traceable to a verified partner and end user.

Mandatory Requirements from Partners

Changes	What to Do	Example
CORS Protection on APIs	Restrict your APIs to your own front-end domains and block requests from any other origin.	`Access-Control-Allow-Origin`:`https://YOUR_DOMAIN.com`
User IP Header in APIs	Forward the end user’s originating IP on every call to Transak’s APIs, ensuring it matches the IP from which the user is accessing the Transak widget.	`x-user-ip`:`203.0.113.42`
API Key Header in APIs	Send your partner API key from your backend on every call to Transak’s APIs.	`x-api-key`:`a1d01dpa-83c0-4a55-863f-02bea44ab7e1`

All Transak’s APIs must be called exclusively from your backend. Share your backend’s static egress IPs with Transak to be whitelisted across both staging and production environments.

CORS Protection on APIs

If your platform exposes any API that internally calls a Transak API, you must apply CORS protection to that endpoint on your side.

This ensures that calls flowing through your platform originate only from your own front end domains, and not from arbitrary third party browsers.

Control	Recommendation
`Access-Control-Allow-Origin`	Restrict to your own front-end domains explicitly. Never use a wildcard (`*`) as this exposes your integration to unauthorized cross-origin access.
Server-to-Server Header Hygiene	Your backend should never blindly forward browser-controlled headers (`Origin`, `Referer`) when calling Transak. Always strip or substitute them with values your backend owns and controls.

Where is it Required?

CORS protection must be applied on your APIs that internally call the following Transak APIs

Transak API	Used In
Create Widget URL API	Widget Integration, Whitelabel Integration
Transaction Session API	Headless Apple Pay, Headless Google Pay, Headless Cards

Why This Matters?

If an API on your side is callable from any origin, an attacker can use it to create Transak widget url that appear legitimate but carry a hijacked end user context. Origin enforcement on your side is the upstream defense that makes the infrastructure level controls effective.

User IP Header in APIs

Pass the end user’s originating IP address as observed by your backend and not your backend’s own IP, and not a proxy or CDN IP. Accepts a single valid IPv4 or IPv6 address.

x-user-ip

stringRequired

The originating end-user IP address.

If you are behind a CDN, use the client IP header it injects:

CDN	Header to use
Cloudflare	`cf-connecting-ip`
Akamai, Fastly, or others	Use the equivalent client IP header from your CDN provider

Where is it Required?

Send x-user-ip on every call to below mentioned Transak’s APIs.

Transak API	Used In
Create Widget URL API	Widget Integration, Whitelabel Integration
Transaction Session API	Headless Apple Pay, Headless Google Pay, Headless Cards
Whitelabel APIs	API Integration, Transak Stream On-Ramp

Error Handling

Case	HTTP Status	Response Body
Invalid IP	`400`	`x-user-ip` must be a valid IPv4 or IPv6 address

Why This Matters?

Transak uses the end user IP to pin sessions to the originating client. If a session is replayed from a different IP, it is rejected at the infrastructure level. Without a reliable user IP signal, this protection cannot be enforced, leaving sessions vulnerable to session hijacking.

API Key Header in APIs

Pass your partner API key on every call to Transak’s backend APIs. Your API key is available in the Transak Partner Dashboard.

x-api-key

stringRequired

Partner API Key present in Transak Dashboard.

Where is it Required?

Send x-api-key on every call from your partner backend to the following Transak APIs:

Transak API	Used In
Create Widget URL API	Widget Integration, Whitelabel Integration
Transaction Session API	Headless Apple Pay, Headless Google Pay, Headless Cards
Whitelabel APIs	API Integration, Transak Stream On-Ramp

Error Handling

Case	Outcome
`x-api-key` header missing	Request rejected
Unknown or invalid key	Request rejected
Source IP not in your partner allowlist	Request rejected

Why This Matters?

Transak uses your API key to verify that requests are coming from your registered backend. Each partner registers a set of static egress IPs with Transak and any request from an unrecognised IP is blocked, even if the API key is valid. This ensures your integration cannot be spoofed from outside your own infrastructure.

Need Assistance?

Need Help?

Contact the team and find resources to help with your integration.