Skip to main content

Security Best Practices

To promote a safer and more efficient environment, this page provides recommendations to strengthen information security and reduce operational risks associated with the use of APIs and digital services.

These practices are recommended for customers, partners, and integrators who consume electronic interfaces and integrate with our environments.

Attention

Never share API keys, access tokens, or credentials. Do not store unnecessary sensitive data in your systems, databases, logs, or temporary files.

1. Credential and token protection

  • Never share API keys, access tokens, or credentials.
  • Store credentials in secure and protected environments, such as Secret Managers or Vaults.
  • Rotate credentials and tokens periodically.
  • Remove old, expired, or unused credentials.

2. Access control

  • Use the Principle of Least Privilege.
  • Restrict access only to authorized users and systems.
  • Revoke access immediately in cases of termination or role changes.
  • Review permissions regularly.

3. Secure communication

  • Use only secure HTTPS/TLS connections.
  • Avoid calls from public networks or untrusted environments.
  • Keep digital certificates valid and up to date.
  • Validate URLs, domains, and environments before exposing integrations in production.

4. Monitoring and audit

  • Monitor access, integrations, and suspicious activity.
  • Keep authentication and API consumption logs.
  • Periodically analyze security events.
  • Define alerts for unusual access attempts, recurring failures, and critical changes.

5. Updates and vulnerabilities

  • Keep systems, libraries, and applications up to date.
  • Fix known vulnerabilities quickly.
  • Perform periodic security testing whenever possible.
  • Implement protection against common attacks, considering references such as the OWASP Top 10.

6. Data protection

  • Handle sensitive information according to LGPD and other applicable regulations.
  • Avoid storing unnecessary data.
  • Never store sensitive data without an operational need and appropriate controls.
  • Use encryption for transmitting sensitive data, when applicable.
  • Review logs and integrations to avoid improper exposure of information.

7. Incident management

  • Establish internal procedures to identify and respond to security incidents.
  • Revoke affected credentials immediately.
  • Notify responsible teams and involved partners when there is operational risk.
  • Record evidence, impacts, and actions taken to support later analysis.
Commitment to security

Information Security is treated as an essential element in every operational stage. Keep your processes and controls focused on protecting the confidentiality, integrity, and availability of information transmitted through our environments and electronic interfaces.