Secure Password & Shared Key Integration Guide

1. RSA password encryption

2. Shared key mechanism for securing internal backend communication

Both are mandatory for password-related and sensitive internal endpoints.

1️⃣ Password Encryption

All password fields sent to our APIs must be protected. Encryption is done using RSA with OAEP padding and SHA-256 hashing.

Encryption Standards

Retrieve Your Public Key

• Your RSA public key is available in the API Key section of the portal.

Example (PKCS#1 PEM format):

-----BEGIN RSA PUBLIC KEY-----
...
-----END RSA PUBLIC KEY-----

Encrypting Passwords

• Encryption must be performed server-side before sending the request if encrypted = true

• You can:

  • Implement encryption in your backend

  • Use our provided encryption tool

2️⃣ encrypted Flag

The encrypted flag indicates whether the password is already encrypted.

Optional: You may omit this flag. The system will handle the password securely if the flag is missing.

🔹 Behavior

🔹 Examples

Encrypted password:

Plain-text password:

Optional flag omitted (backend defaults):

⚠️ Security Notes

• Public clients must always encrypt passwords

• Internal backend services may send plain text or omit the flag

• Requests without encrypted are processed securely by default

3️⃣ Shared Key for Backend Security

A shared key protects sensitive internal API endpoints. It ensures only trusted services can access password-related or critical operations.

Shared Key Rules

• Generated server-side only

• Stored securely (encrypted)

• Never exposed in:

  • Client apps

  • API responses

  • Logs or error messages

  • Admin/debug screens

Logging & Monitoring

• Logs only show key validation status (valid / invalid)

• Logs must not contain:

  • Shared key values

  • Passwords (plain or encrypted)