Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.xentfi.com/llms.txt

Use this file to discover all available pages before exploring further.

Security Architecture

flowchart TB
subgraph Perimeter["Perimeter Security"]
WAF[Web Application Firewall]
DDoS[DDoS Protection]
RateLimit[Rate Limiting]
end

subgraph Application["Application Security"]
Auth[Authentication]
API[API Security]
Encryption[Data Encryption]
end

subgraph Infrastructure["Infrastructure Security"]
HSM[Hardware Security Module]
KMS[Key Management Service]
Audit[Audit Logging]
end

subgraph Monitoring["Security Monitoring"]
SIEM[SIEM System]
Alerts[Real-time Alerts]
Incident[Incident Response]
end

Perimeter --> Application
Application --> Infrastructure
Infrastructure --> Monitoring

Security Pillars

🔐 Authentication

Multi-factor authentication, API key management, and JWT-based session security

🛡️ Data Protection

AES-256 encryption at rest, TLS 1.3 in transit, and HSM key storage

📊 Audit & Compliance

Complete audit trails, compliance certifications, and regular security assessments

🚨 Threat Detection

Real-time monitoring, anomaly detection, and automated incident response

🔒 Key Management

Hardware Security Module (HSM) integration with automatic key rotation

🌐 Network Security

DDoS protection, WAF, and IP whitelisting capabilities

Authentication

API Key Authentication

All API requests require two headers for authentication:
HeaderDescriptionFormat
apiKeyYour unique API keyxf_abc123def456...
appIdYour application identifierapp_123e4567-...

API Key Security

flowchart LR
subgraph Creation["Key Creation"]
Generate[Generate API Key] --> Hash[Bcrypt Hash]
Hash --> Store[Store Hash Only]
end

subgraph Usage["Key Usage"]
Request[API Request] --> Validate[Bcrypt Compare]
Validate --> Allow[Allow/Deny]
end

subgraph Rotation["Key Rotation"]
New[New Key] --> Active[Active Key]
Active --> Deprecate[Deprecate Old]
Deprecate --> Remove[Remove Old]
end

Key Management Best Practices

PracticeDescriptionImportance
Environment separationDifferent keys for dev/staging/prodCritical
Regular rotationRotate keys every 90 daysHigh
Secure storageEnvironment variables, never codeCritical
Least privilegeMinimum required permissionsHigh
Revocation processImmediate revocation if compromisedCritical

JWT Session Tokens

For interactive sessions (dashboard), XentFi uses JWT tokens:
FeatureImplementationBenefit
AlgorithmHS256Fast verification
Expiration24 hoursReduced exposure
Refresh tokens7 daysSeamless experience
RevocationImmediateSecurity control

Data Protection

Encryption at Rest

Data TypeAlgorithmKey SizeStorage
Private keysAES-256-GCM256-bitAWS KMS
API keysbcrypt-Hashed only
Webhook secretsAES-256-GCM256-bitEncrypted
DatabaseAES-256256-bitEncrypted
BackupsAES-256256-bitEncrypted

Encryption in Transit

flowchart LR
Client[Client] --> TLS[TLS 1.3] --> API[XentFi API]
API --> TLS2[TLS 1.3] --> Blockchain[Blockchain]

subgraph Security["Security Features"]
PFS[Perfect Forward Secrecy]
HSTS[HTTP Strict Transport Security]
CP[Certificate Pinning]
end

Key Management

ComponentSolutionCertification
Key generationAWS KMSFIPS 140-2 Level 3
Key storageHSMFIPS 140-2 Level 3
Key rotationAutomatic (90 days)Best practice
Key backupMulti-regionDisaster recovery
Access controlIAM policiesLeast privilege

API Security

Request Validation

flowchart TB
Request[API Request] --> Auth{Authentication}
| Auth --> | Valid | Rate{Rate Limit} |
| -------- | ----- | ---------------- |

| Rate --> | Within Limit | Validate{Validation} |
| -------- | ------------ | -------------------- |

| Validate --> | Valid | Process[Process Request] |
| ------------ | ----- | ------------------------ |

Process --> Response[Return Response]

Security Headers

Every API response includes these security headers:
HeaderValuePurpose
X-Content-Type-OptionsnosniffPrevent MIME type sniffing
X-Frame-OptionsDENYPrevent clickjacking
X-XSS-Protection1; mode=blockXSS protection
Strict-Transport-Securitymax-age=31536000; includeSubDomainsEnforce HTTPS
Content-Security-Policydefault-src 'self'Resource restrictions
Referrer-Policystrict-origin-when-cross-originReferrer control

Rate Limiting

Limit TypeStarterProfessionalBusinessEnterprise
Requests/second1050200Custom
Requests/minute603001,000Custom
Requests/day10,000100,0001,000,000Custom
Burst capacity2x3x5xCustom

Idempotency

Prevent duplicate requests using Idempotency-Key header: 
curl -X POST https://api.xentfi.com/v1/payment/links \
-H "Idempotency-Key: unique_key_123" \
...
FeatureImplementationBenefit
Key formatUUID v4Global uniqueness
Storage duration24 hoursPrevent replay
Response caching24 hoursConsistent results
Conflict handlingReturns originalSafe retries

Infrastructure Security

DDoS Protection

flowchart LR
Traffic[Incoming Traffic] --> Shield[Cloudflare DDoS Shield]
Shield --> Filter[Traffic Filtering]
Filter --> Clean[Clean Traffic]
Clean --> Origin[Origin Servers]
Protection LayerCapabilityThreshold
Network layerVolumetric attacks100+ Gbps
Transport layerProtocol attacksAutomatic
Application layerHTTP floods1M+ requests/sec
Rate limitingPer IP throttlingConfigurable

Web Application Firewall (WAF)

Rule CategoryProtectionAction
SQL injectionDatabase attacksBlock
XSSScript injectionBlock
Path traversalFile accessBlock
Malicious botsAutomated attacksChallenge
Known exploitsCVE patternsBlock

Network Segmentation

flowchart TB
subgraph Public["Public Zone"]
LB[Load Balancer]
WAF[WAF]
end

subgraph App["Application Zone"]
API[API Servers]
Workers[Background Workers]
end

subgraph Data["Data Zone"]
DB[(Database)]
Cache[(Redis)]
KMS[(KMS)]
end

LB --> WAF --> API
API --> DB
API --> Cache
Workers --> DB
API --> KMS

Monitoring & Detection

Security Monitoring

flowchart LR
subgraph Sources["Data Sources"]
Logs[Application Logs]
Metrics[System Metrics]
Network[Network Traffic]
end

subgraph Analysis["Analysis"]
SIEM[SIEM Platform]
Rules[Detection Rules]
ML[Machine Learning]
end

subgraph Response["Response"]
Alert[Real-time Alerts]
Auto[Automated Response]
Manual[Manual Review]
end

Sources --> Analysis --> Response

Alert Types

AlertTriggerResponse TimeAction
Suspicious loginUnusual locationImmediateMFA challenge
API abuseRate limit exceeded1 minuteTemporary block
Data exfiltrationLarge data transferImmediateBlock & alert
Configuration changeUnauthorized change1 minuteAlert & rollback
Anomalous trafficPattern deviation5 minutesInvestigation

Audit Logging

Every security-relevant event is logged:
Event TypeRetentionPurpose
Authentication1 yearAccess tracking
API calls90 daysUsage audit
Configuration changes3 yearsCompliance
Data access90 daysPrivacy compliance
Admin actions3 yearsInternal audit

Compliance Certifications

Current Certifications

CertificationStatusScopeRenewal
SOC 2 Type II✅ ActiveSecurity, Availability, ConfidentialityAnnual
ISO 27001✅ ActiveInformation Security ManagementAnnual
PCI DSS Level 1✅ ActivePayment securityAnnual
GDPR✅ CompliantData protectionContinuous

In Progress

CertificationTarget DateStatus
SOC 3Q2 2026📋 Planning
ISO 27701Q3 2026🚧 In Progress
FedRAMPQ4 2026🔬 Assessment

Vulnerability Management

Security Testing

flowchart LR
subgraph Testing["Testing Types"]
SAST[Static Analysis]
DAST[Dynamic Analysis]
Pen[Penetration Testing]
Audit[Code Audit]
end

subgraph Schedule["Schedule"]
Daily[Daily Scans]
Weekly[Weekly Scans]
Quarterly[Quarterly Tests]
Annual[Annual Audits]
end

Testing --> Schedule
Test TypeFrequencyMethodology
SAST scansDailyAutomated
DAST scansWeeklyAutomated
Dependency scansDailyAutomated
Penetration testingQuarterlyThird-party
Security auditAnnualExternal firm
Bug bountyContinuousCrowdsourced

Bug Bounty Program

SeverityBounty RangeExamples
Critical5,0005,000 - 10,000Remote code execution, Auth bypass
High2,0002,000 - 5,000Data breach, Privilege escalation
Medium500500 - 2,000CSRF, Information disclosure
Low100100 - 500Rate limiting bypass, Best practices

Incident Response

Incident Response Process

stateDiagram-v2
[*] --> Detect: Monitoring Alert
Detect --> Analyze: Investigate
Analyze --> Contain: Confirmed
Contain --> Eradicate: Mitigation
Eradicate --> Recover: Remediation
Recover --> Postmortem: Resolved
Postmortem --> [*]: Lessons learned

Response Times

SeverityDetectionResponseResolutionCommunication
Critical< 1 minute< 5 minutes< 1 hourImmediate
High< 5 minutes< 15 minutes< 4 hours1 hour
Medium< 15 minutes< 1 hour< 24 hours24 hours
Low< 1 hour< 4 hours< 1 weekWeekly report

Business Continuity

Disaster Recovery

MetricTargetDescription
RPO (Recovery Point Objective)< 15 minutesMaximum data loss
RTO (Recovery Time Objective)< 4 hoursTime to restore
Availability SLA99.9%Uptime guarantee
Data durability99.999999999%Data loss prevention

Backup Strategy

flowchart LR
Production[Production Data] --> Replica[Replica in Primary Region]
Production --> Backup[Daily Backups]
Backup --> CrossRegion[Cross-Region Replication]
Backup --> Archive[Long-term Archive]
Backup TypeFrequencyRetentionLocation
Real-time replicationContinuous30 daysPrimary region
Daily backupsDaily90 daysSecondary region
Weekly backupsWeekly1 yearCross-region
Monthly archivesMonthly7 yearsCold storage

Security Best Practices

  • Use environment variables - Never hardcode API keys
  • Enable MFA - Require multi-factor for dashboard access
  • Rotate keys regularly - Schedule key rotation every 90 days
  • Monitor audit logs - Review logs for suspicious activity
  • IP whitelisting - Restrict API access to trusted IPs (Enterprise)
  • Least privilege - Grant minimum required permissions

Customer Responsibilities

ResponsibilityDescriptionRequirement
API key securityStore keys securely, never in codeMandatory
Webhook endpoint securityImplement signature verificationMandatory
User access controlManage dashboard user permissionsRecommended
Data backupBackup your transaction recordsRecommended
Incident reportingReport security issues immediatelyMandatory

Reporting Security Issues

Vulnerability Disclosure

If you discover a security vulnerability, please report it immediately: Email: security@xentfi.com PGP Key: Download public key

What to Include

InformationRequiredPurpose
DescriptionYesUnderstand the issue
Steps to reproduceYesVerify the finding
Impact assessmentYesPrioritize fix
Suggested fixOptionalAccelerate resolution
Proof of conceptYesValidate vulnerability

Disclosure Policy

TimeframeAction
24 hoursAcknowledgment of receipt
72 hoursInitial assessment complete
7 daysFix developed and tested
14 daysPatch deployed to production
30 daysPublic disclosure (if needed)

Security FAQs

Private keys are encrypted with AES-256-GCM and stored in AWS KMS. Keys never leave the HSM and are never accessible to XentFi employees.
API keys are hashed using bcrypt before storage. The plaintext key is only shown once at creation and never stored.
We follow our incident response plan: detect, contain, eradicate, recover, and notify affected customers within 72 hours.
Yes, XentFi is fully GDPR compliant. We process data only for legitimate purposes and provide data export/deletion capabilities.
External penetration tests quarterly, internal audits continuously, and full security audits annually.

API Reference

API security implementation details

Authentication

Authentication best practices

Webhook Security

Securing webhook endpoints

Contact Security Team