Keep keys, checkout, webhooks, and environments separated.

• Enable 2FA before creating production keys, webhooks, payout methods, or live operational workflows.
• Use individual user accounts instead of shared logins.
• Review team access when staff, contractors, or systems change.
• Contact Alpha support from a verified business contact path if an owner/admin loses 2FA access.

• Store secret keys only on your server or secret manager.
• Never embed sk_test, sk_staging, or sk_production keys in browser JavaScript, mobile apps, public repos, screenshots, or support tickets.
• Use the minimum scopes needed for your integration.
• Rotate and revoke keys from the merchant dashboard when staff or systems change.
• Keep test and live keys in separate configuration paths.

Send buyers to the Alpha checkout URL returned by the payment API. Your integration should not collect or submit card numbers, CVCs, PINs, or other payment credentials for Alpha payments.

• Verify signatures on the raw body before parsing or trusting the event.
• For encrypted webhooks, verify the signature over the encrypted body before decrypting.
• Store generated webhook decryption private keys once in your own secret manager; Alpha stores only the public key.
• Treat event delivery as at-least-once. Process idempotently by event_id.
• Do not log webhook signing secrets or full authorization headers.
• Respond with 2xx only after durable processing.
• Keep production webhook endpoints separate from staging endpoints.