Skip to main content

TLS / HTTPS

All Neuron API traffic is encrypted in transit using TLS 1.2 or higher. Plain HTTP requests are not accepted and will be rejected. Always use https://{host} (your Neuron’s domain) as the base URL — plain HTTP is not accepted.

Credential management

  • Store your API key, API secret, and JWTs in environment variables or a secrets manager — never hardcode them.
  • Never log full JWT tokens or HMAC secrets in your application logs.
  • Rotate API secrets with your Neuron operator if a compromise is suspected.

Rate limits and auditing

Login and account recovery endpoints are audited and may be rate-limited by the Neuron. Repeated failed attempts can result in a temporary or permanent block of the calling endpoint. Contact your Neuron operator if you are blocked.

Data handling

  • All data is encrypted at rest using AES-256.
  • Sensitive fields (e.g., account numbers) are masked in logs and responses where applicable.
Never log full API keys or authorization headers in your application logs.