Skip to main content

Security

Comprehensive security guide for the Intraverse API platform.

Overview

The Intraverse API implements multiple layers of security to protect your data and ensure secure communication between your applications and our services.

Authentication Types

🔑 Server API Key Header

Purpose: Server-to-server communication for sensitive operations

Usage:

  • Score submission
  • Tournament management
  • Administrative operations
  • Financial transactions

Security Requirements:

  • Must be kept secret and never exposed to clients
  • Use environment variables for storage
  • Rotate regularly (recommended: every 90 days)
  • Use different keys for different environments

Format:

x-game-server-key: your-server-api-key-here

🎮 Client Key Header

Purpose: Game authentication and user identification

Usage:

  • Game authentication via play-stage.intraverse.io
  • Public game identification
  • Client-side operations

Security:

  • Safe to include in client applications
  • Public identifiers for your game
  • Never use for server-only operations

Format:

x-game-key=your-client-key

🔐 JWT Tokens

Purpose: Authenticated user sessions

Usage:

  • User-specific operations after authentication
  • Session management
  • User data access

Security:

  • Short-lived tokens with automatic expiration
  • Validate on your server
  • Never store in insecure storage

Format:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Server-Only APIs

The following endpoints are server-only and must never be called from client applications:

EndpointMethodPurposeSecurity Level
/game-point/POSTSet player points🔒 Server API Key Required

⚠️ CRITICAL: These endpoints require server API keys and are designed to prevent score manipulation and ensure data integrity.

Security Best Practices

🔒 API Key Management

  1. Never expose server API keys in client-side code
  2. Use environment variables to store sensitive credentials
  3. Rotate API keys regularly (recommended: every 90 days)
  4. Use different keys for different environments (dev, staging, production)
  5. Monitor API key usage for suspicious activity
  6. Implement key revocation procedures
  7. Use least privilege principle for API key permissions

🌐 Network Security

  • All API communications must use HTTPS
  • No HTTP endpoints are available for security
  • Certificate validation is enforced
  • Implement certificate pinning for mobile apps
  • Validate SSL certificates in production

🛡️ Rate Limiting

API TypeRate LimitPurpose
Server APIs100 requests/minute per API keyPrevent abuse of sensitive operations
Client APIs1000 requests/minute per IPAllow reasonable client usage
Authentication10 requests/minute per IPPrevent brute force attacks

🔍 Request Validation

  • Input sanitization is performed on all requests
  • Schema validation ensures data integrity
  • Malicious requests are automatically blocked
  • SQL injection protection is implemented
  • XSS protection is enforced
  • CSRF protection for state-changing operations

📱 Client Application Security

  1. Use client keys for game authentication
  2. Implement proper session management
  3. Validate JWT tokens on your server
  4. Never store sensitive data in client storage
  5. Use secure communication for all API calls
  6. Implement proper error handling
  7. Validate all user inputs before sending to API
  8. Use secure random generation for authentication hashes

🔐 Authentication Flow Security

  1. Validate authentication hashes match your generated hash
  2. Set appropriate hash expiration times (recommended: 10 minutes)
  3. Implement timeout handling for authentication flows
  4. Log authentication attempts for security monitoring
  5. Handle authentication errors gracefully
  6. Implement proper session cleanup
  7. Use secure random generation for all cryptographic operations

Error Handling

Security Error Codes

Error CodeDescriptionAction Required
401Invalid or missing authenticationCheck API key or JWT token
403Insufficient permissionsVerify API key permissions
429Rate limit exceededWait and retry with exponential backoff
400Invalid request formatValidate request payload
422Validation errorCheck request data against schema

Security-Specific Error Responses

Invalid API Key

{
  "success": false,
  "error": "Unauthorized",
  "message": "Invalid API key",
  "statusCode": 401
}

Rate Limited

{
  "success": false,
  "error": "Too Many Requests",
  "message": "Rate limit exceeded",
  "statusCode": 429,
  "retryAfter": 60
}

Client-Side Request Detected

{
  "success": false,
  "error": "Forbidden",
  "message": "Server-only endpoint accessed from client",
  "statusCode": 403
}

Security Headers

The API automatically includes security headers:

X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin

Data Protection

Data Encryption

  • Data in transit: TLS 1.3 encryption
  • Data at rest: AES-256 encryption
  • API keys: Hashed using bcrypt
  • Passwords: Never stored in plain text

Privacy Compliance

  • GDPR compliance for EU users
  • Data retention policies enforced
  • User consent required for data collection
  • Right to deletion supported
  • Data portability available

Monitoring and Logging

Security Monitoring

  • API key usage monitoring
  • Rate limit violations tracking
  • Suspicious activity detection
  • Failed authentication logging
  • Geographic access monitoring

Audit Logs

  • All API requests are logged
  • Authentication events tracked
  • Data access monitored
  • Configuration changes recorded
  • Security incidents documented

Incident Response

Security Incident Types

  1. API key compromise
  2. Rate limit abuse
  3. Malicious request patterns
  4. Data breach attempts
  5. Authentication bypass attempts

Response Procedures

  1. Immediate key revocation if compromised
  2. Rate limit adjustments for abuse
  3. IP blocking for malicious activity
  4. User notification for data incidents
  5. Security audit after incidents

Compliance and Certifications

  • SOC 2 Type II compliance
  • ISO 27001 information security management
  • PCI DSS compliance for payment processing
  • Regular security audits conducted
  • Penetration testing performed annually

Next Steps