Livepasses

Security

Enterprise-grade security at every layer. From cryptographic pass signing to API key management, your data and your customers' data are protected.

Security by Design

Livepasses is built with security at its core. Every pass is cryptographically signed, every API call is authenticated, and every tenant's data is fully isolated. We follow industry best practices to protect your integration and your end users.

Authentication & Authorization

Industry-standard authentication with fine-grained access control.
  • OAuth 2.0 / OpenID Connect authentication
  • JWT Bearer token validation
  • Scope-based permission system (e.g., passes:read, templates:write)
  • Multi-tenant authorization with tenant context isolation

Pass Signing & Verification

Every wallet pass is cryptographically signed to prevent tampering and fraud.
  • PKCS#7 (CMS) signing for Apple Wallet passes
  • JWT-based authentication for Google Wallet passes
  • X.509 certificate management with automatic rotation
  • Per-pass-type certificate support for maximum flexibility

API Key Security

Granular API key management with multiple layers of protection.
  • Scoped permissions per API key
  • IP address whitelisting per key
  • Separate live and test environments
  • Keys shown only once at creation — never retrievable again

Infrastructure Protection

Multiple layers of infrastructure security to defend against threats.
  • Tiered rate limiting based on subscription plan
  • Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options
  • CORS policies with origin validation
  • Server fingerprint removal to reduce attack surface

Audit & Monitoring

Comprehensive logging and monitoring for full visibility.
  • API key usage tracking with path, method, and IP logging
  • Webhook delivery audit trail with request/response logging
  • OpenTelemetry distributed tracing
  • Correlation IDs for end-to-end request tracking

Data Isolation & Protection

Every tenant's data is completely isolated at the database level.
  • Full multi-tenant data isolation
  • Encrypted data transmission (TLS/HTTPS)
  • Webhook payloads signed with HMAC-SHA256
  • Automatic tenant context filtering on all queries

Compliance & Standards

We follow industry standards and best practices to ensure your data is handled responsibly and securely.
HTTPS/TLS Everywhere
OAuth 2.0 / OIDC
PKCS#7 Signing
HMAC-SHA256 Webhooks
OWASP Best Practices
Data Encryption in Transit

Questions About Security?

If you have specific security requirements or questions about our practices, contact our team. We're happy to provide additional details for your security review.