> For a complete page index, fetch https://docs.transak.com/llms.txt # Integration Update - Mandatory Security Changes All partners integrating using [Transak's APIs](/api/public/end-points) are required to implement the following security changes. These measures protect against fraud, prevent session hijacking, and ensure all API calls are traceable to a verified partner and end user. ## Mandatory Requirements from Partners
Changes What to Do Example
[CORS Protection on APIs](#cors-protection-on-apis) Restrict your APIs to your own front-end domains and block requests from any other origin. `Access-Control-Allow-Origin` : `https://YOUR_DOMAIN.com`
[User IP Header in APIs](#user-ip-header-in-apis) Forward the end user's originating IP on every call to [Transak's APIs](/api/public/end-points) , ensuring it matches the IP from which the user is accessing the Transak widget. `x-user-ip` : `203.0.113.42`
[API Key Header in APIs](#api-key-header-in-apis) Send your partner API key from your backend on every call to [Transak's APIs](/api/public/end-points) . `x-api-key` : `a1d01dpa-83c0-4a55-863f-02bea44ab7e1`
All [Transak's APIs](/api/public/end-points) must be called exclusively from your **backend**. Share your backend's static egress IPs with Transak to be whitelisted across both staging and production environments. *** ## CORS Protection on APIs If your platform exposes any API that internally calls a Transak API, you must apply CORS protection to that endpoint on your side. This ensures that calls flowing through your platform originate only from your own front end domains, and not from arbitrary third party browsers.
Control Recommendation
`Access-Control-Allow-Origin` Restrict to your own front-end domains explicitly. Never use a wildcard ( `*` ) as this exposes your integration to unauthorized cross-origin access.
Server-to-Server Header Hygiene Your backend should never blindly forward browser-controlled headers ( `Origin` , `Referer` ) when calling Transak. Always strip or substitute them with values your backend owns and controls.
### Where is it Required? CORS protection must be applied on your APIs that internally call the following Transak APIs | Transak API | Used In | | -------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | [Create Widget URL API](https://docs.transak.com/api/public/create-widget-url) | [Widget Integration](/integration/web/website-redirection), [Whitelabel Integration](/integration/api) | | [Transaction Session API](https://docs.transak.com/api/headless-apple-pay/transaction-session-api) | [Headless Apple Pay](/features/headless-apple-pay), [Headless Google Pay](/features/headless-google-pay), [Headless Cards](/features/headless-cards) | ### Why This Matters? If an API on your side is callable from any origin, an attacker can use it to create Transak widget url that appear legitimate but carry a hijacked end user context. Origin enforcement on your side is the upstream defense that makes the infrastructure level controls effective. *** ## User IP Header in APIs Pass the **end user's originating IP address** as observed by your backend and not your backend's own IP, and not a proxy or CDN IP. Accepts a single valid IPv4 or IPv6 address.
The originating end-user IP address.
If you are behind a CDN, use the client IP header it injects: | CDN | Header to use | | ------------------------- | ---------------------------------------------------------- | | Cloudflare | `cf-connecting-ip` | | Akamai, Fastly, or others | Use the equivalent client IP header from your CDN provider | ### Where is it Required? Send `x-user-ip` on **every call** to below mentioned [Transak's APIs](/api/public/end-points). | Transak API | Used In | | -------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | [Create Widget URL API](https://docs.transak.com/api/public/create-widget-url) | [Widget Integration](/integration/web/website-redirection), [Whitelabel Integration](/integration/api) | | [Transaction Session API](https://docs.transak.com/api/headless-apple-pay/transaction-session-api) | [Headless Apple Pay](/features/headless-apple-pay), [Headless Google Pay](/features/headless-google-pay), [Headless Cards](/features/headless-cards) | | [Whitelabel APIs](/api/whitelabel/end-points) | [API Integration](/integration/api), [Transak Stream On-Ramp](/products/transak-stream-on-ramp) | **Error Handling** | Case | HTTP Status | Response Body | | ---------- | ----------- | ------------------------------------------------ | | Invalid IP | `400` | `x-user-ip` must be a valid IPv4 or IPv6 address | ### Why This Matters? Transak uses the end user IP to pin sessions to the originating client. If a session is replayed from a different IP, it is rejected at the infrastructure level. Without a reliable user IP signal, this protection cannot be enforced, leaving sessions vulnerable to session hijacking. *** ## API Key Header in APIs Pass your **partner API key** on every call to Transak's backend APIs. Your API key is available in the [Transak Partner Dashboard](https://dashboard.transak.com).
Partner API Key present in Transak Dashboard.
### Where is it Required? Send `x-api-key` on **every call** from your partner backend to the following Transak APIs: | Transak API | Used In | | -------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | | [Create Widget URL API](https://docs.transak.com/api/public/create-widget-url) | [Widget Integration](/integration/web/website-redirection), [Whitelabel Integration](/integration/api) | | [Transaction Session API](https://docs.transak.com/api/headless-apple-pay/transaction-session-api) | [Headless Apple Pay](/features/headless-apple-pay), [Headless Google Pay](/features/headless-google-pay), [Headless Cards](/features/headless-cards) | | [Whitelabel APIs](/api/whitelabel/end-points) | [API Integration](/integration/api), [Transak Stream On-Ramp](/products/transak-stream-on-ramp) | **Error Handling** | Case | Outcome | | --------------------------------------- | ---------------- | | `x-api-key` header missing | Request rejected | | Unknown or invalid key | Request rejected | | Source IP not in your partner allowlist | Request rejected | ### Why This Matters? Transak uses your API key to verify that requests are coming from your registered backend. Each partner registers a set of static egress IPs with Transak and any request from an unrecognised IP is blocked, even if the API key is valid. This ensures your integration cannot be spoofed from outside your own infrastructure. *** ## Need Assistance? Contact the team and find resources to help with your integration.