Security
FetcherPay is built with security and compliance as foundational principles. We never store raw card data and maintain strict access controls.
PCI DSS Compliant
Card data is tokenized and vaulted by our PCI Level 1 providers. FetcherPay never touches raw card numbers.
SOC 2 Type II
Audited controls for security, availability, and confidentiality.
HIPAA Ready
Business Associate Agreements available for healthcare customers.
End-to-End Encryption
TLS 1.3 for all API connections. AES-256 encryption at rest.
Authentication
All API requests require a Bearer token in the Authorization header.
Authorization: Bearer fp_test_<your_key>Idempotency
Prevent duplicate operations by including an Idempotency-Key header. Keys are valid for 24 hours.
Idempotency-Key: <your-unique-key>IP Whitelisting
Production API access can be restricted to specific IP addresses. Contact support to configure IP allowlists.
Audit Logging
All API requests and webhook deliveries are logged with timestamps, IP addresses, and request fingerprints. Logs are retained for 7 years per financial regulations.