Security Best Practices

A checklist for integrating SheerID securely — protect API tokens, create verifications from your backend, verify webhook signatures, and apply least privilege.

Overview

This page collects the security practices that matter most for a SheerID integration. Each item links to its detailed guide.

Keep API tokens server-side

An API token is a bearer credential — anyone who has it can call the API as you.

Never embed a token in browser JavaScript, a single-page app, or a mobile app binary. Keep it on your server.
Prefer dynamic (OAuth) tokens, which expire after 30 days, over static tokens, which never expire — a leaked dynamic token has a bounded blast radius. See API Tokens.
Store tokens encrypted at rest, transmit them only over HTTPS, and rotate or revoke immediately if one is compromised.

Create verifications from your backend

The recommended, abuse-resistant posture is to create the verification with an authenticated request from your server, then hand the user the resulting verificationId (or the hosted form) — so verification IDs can only originate from you. See Authentication and Secure Verification Creation.

Verify webhook signatures

Every webhook includes an X-SheerID-Signature header — an HMAC-SHA256 of the raw request body. Verify it before trusting a request, and make your handler idempotent (deliveries may be retried). See Verify the signature.

Apply least privilege

Grant the Customer PII role only to the tokens and services that genuinely need to read personal data; everything else can work with status and metadata. See Data Handling & Privacy.
Webhook payloads never contain PII — fetch details server-side with an appropriately scoped token.

Protect reward codes

If a reward code should not appear in public verification responses, configure its visibility as PROTECTED_ONLY so it is returned only from token-protected endpoints and the confirmation email. See Offer Codes.

Allowlist SheerID’s webhook IPs

If your webhook endpoint sits behind a firewall, allowlist SheerID’s outbound notifier IP addresses so deliveries are not blocked. See Static IP Addressing.

General hygiene

Serve every endpoint over HTTPS.
Validate and sanitize all input before acting on it.
Never log API tokens or consumer PII.