diff --git a/api-reference/customer-cards/protocol.mdx b/api-reference/customer-cards/protocol.mdx index 7b89b25..f6175e2 100644 --- a/api-reference/customer-cards/protocol.mdx +++ b/api-reference/customer-cards/protocol.mdx @@ -129,6 +129,10 @@ Errors are classified into two categories: 1. **Retriable errors**: these are transient issues where retrying once is appropriate 2. **Integration errors**: these are typically programming or configuration errors. These errors won't be retried and cached for 5 minutes. +## Security + +Plain supports [request signing](/api-reference/request-signing) and [mTLS](/api-reference/mtls) to verify that the request was made by Plain and not a third party. + ### Retriable errors The following errors are **retried once** after a **1-second delay**: diff --git a/api-reference/mtls.mdx b/api-reference/mtls.mdx new file mode 100644 index 0000000..75b1ba7 --- /dev/null +++ b/api-reference/mtls.mdx @@ -0,0 +1,36 @@ +--- +title: 'mTLS' +--- + +All outbound requests made to your **webhook targets** and **customer card endpoints** include a client TLS certificate which you can verify to achieve mutual authentication. + +This certificate is self-signed. In order to verify it, we provide our CA's certificate (in PEM format), which you will need to add to your server/truststore: + +``` +-----BEGIN CERTIFICATE----- +MIIDDzCCAfegAwIBAgIUYpBaPwE3ax76Ly63jq88l3JYdQkwDQYJKoZIhvcNAQEL +BQAwFjEUMBIGA1UEAwwLUGxhaW5NdGxzQ0EwIBcNMjQxMDA5MTEzMzIwWhgPMjEy +NDA5MTUxMTMzMjBaMBYxFDASBgNVBAMMC1BsYWluTXRsc0NBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoyDRzyrtm9AqMo8MgFYkPrpme6qi5bJDF/1r +hd2Xs0xVucqTz7SMsVACxfpHvamWg/d5n2655tCQV0QWEot/DRjWJx+rxf1NQLkJ +TK13c9o6ED62hzhm1MLyLFx11BorZKk6+CwNTp0hHdAQlASapFpQFwjtHtnRNUCr +VjQiB79Qwx/0sw3vkhEmWuqy9ot7k6/31hexHkqAe4IRcBE7nmQhA2/BNfZdM6so +z6cX4XEmPks+GEgP0K0362wRuugdn31lFuOXW7o3g0H0hsk2vEu5VonfvfVs71H5 +7Ih7ngJADKF/Zhza6xvEU88dpxvbXBnB2rIdeIjQ/Iei9KR8gwIDAQABo1MwUTAd +BgNVHQ4EFgQUI2yEkljVdGcvHaKo7UTYVENZs7wwHwYDVR0jBBgwFoAUI2yEkljV +dGcvHaKo7UTYVENZs7wwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC +AQEAFPx/Fd9SOpGuaaZjc8EBmLfo6RJ8EjPImjw+ifsgVtMgTAIPre70Xg7CNozg +QXL0S31bkMRpEnCTTaVfo3B8SXMcFGT9wz7JQmlp2h3TM962LcRFWZQS7mc1b9TI +ko1e6wHtxquQ4HUZcuH267eGu8WuK1USe+YwpwoCdVg/lqHIHLQeX1HUWhs7y8mL +1UQ2Vo/1CJINaMckCZgu8BDOB6Bfz98l7MttfHY+pRwMQ6Dfz2+V8zhd3BHnQIUo +IMJXXsQcVPqqw2OHSpOdeaHcLvitd5Jbznfi4SVMP3CW3HcJIQquLaafzMjgPOIK +Nu6k8VchASKnnXyziDRnQvBwAw== +-----END CERTIFICATE----- +``` + + + If you serve your API through AWS API Gateway, you can easily do this by [enabling mTLS and + uploading the + certificate](https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html) + above as the truststore. + diff --git a/api-reference/webhooks.mdx b/api-reference/webhooks.mdx index e53ba58..1719123 100644 --- a/api-reference/webhooks.mdx +++ b/api-reference/webhooks.mdx @@ -50,7 +50,7 @@ If you want, you can include basic authentication credentials in your webhook ta Authorization: Basic cGxhaW46cm9ja3M= ``` -Plain also supports [request signing](/api-reference/request-signing) to verify that the request was made by Plain and not a third party. +Plain also supports [request signing](/api-reference/request-signing) and [mTLS](/api-reference/mtls) to verify that the request was made by Plain and not a third party. ## Delivery semantics