TLS / HTTPS
All Neuron API traffic is encrypted in transit using TLS 1.2 or higher. Plain HTTP requests are not accepted and will be rejected.
Always use https://{host} (your Neuron’s domain) as the base URL — plain HTTP is not accepted.
Credential management
- Store your API key, API secret, and JWTs in environment variables or a secrets manager — never hardcode them.
- Never log full JWT tokens or HMAC secrets in your application logs.
- Rotate API secrets with your Neuron operator if a compromise is suspected.
Rate limits and auditing
Login and account recovery endpoints are audited and may be rate-limited by the Neuron. Repeated failed attempts can result in a temporary or permanent block of the calling endpoint. Contact your Neuron operator if you are blocked.
Data handling
- All data is encrypted at rest using AES-256.
- Sensitive fields (e.g., account numbers) are masked in logs and responses where applicable.
Never log full API keys or authorization headers in your application logs.