Additional Security Mechanisms
Use the mechanisms below for added security in your account.
In addition to the API key used to authenticate your requests, we have additional mechanisms that provide extra layers of security for your account. We recommend using at least one of them, and if possible both. Get to know them below.
IP Whitelisting
This mechanism allows you to define IPs from which we will accept requests using your API key.
Any request received from an IP not contained in the whitelist will be rejected with an HTTP 403 response. Therefore, even if your key is compromised, unless the requests originate from your infrastructure, they will be rejected.
You can define your list of whitelisted IPs by going to User Menu > Integrations > Security Mechanisms.
IP Range Configuration
You can add an authorized IP in an IP range by using
x
, for example:192.168.1.x
will cover from IP192.168.1.0
to192.168.1.255
.
Attention When Configuring Wide IP Ranges
While configuring IP ranges is a flexible tool, whitelisting very large intervals can compromise your account's security and nullify the purpose of this feature.
Risk
A very wide IP range, such as one from a major cloud provider, can include thousands of servers that are not under your control. If your API key is exposed, an attacker operating within that same IP range could make valid requests to your account.
Remember that the goal of the IP Whitelist is to restrict access to the smallest possible set of addresses, following the principle of least privilege.
Recommendation for Cloud Servers
If your application runs in an environment with dynamic egress IPs (such as AWS, GCP, Azure, etc.), we strongly recommend using a NAT Gateway service with a static egress IP. This allows you to add a single IP or a small, controlled set of IPs to your whitelist, ensuring maximum security for your integration.
Why fix IPs?
Fixing IPs for API calls can be a useful and necessary practice.
By fixing IPs, you can restrict access to your APIs, allowing calls only from specific IPs. This helps to block unauthorized or unwanted access.
However, this also requires maintaining a list of authorized IPs and can make access management more complex, but it ensures much more security in your requests to Asaas, especially in White Label operations.
Have a complex scenario and need help?
We understand that some architectures may present specific challenges in setting up a static egress IP. If this is your case and the NAT Gateway solution is not applicable, we want to better understand your scenario.
Please fill out this form so that our product team can analyze your use case and we can develop alternative security measures that meet your needs in the future.
Transfer Authorization Webhook
- By enabling this mechanism, all transfers requested in your account will trigger a webhook to your system to validate their legitimacy. Therefore, unless your system recognizes the transfer as legitimate, it will be canceled. For more details on using this mechanism, access the documentation.
Updated 2 days ago