OwnPay is built around the assumption that all external input is adversarial. The framework enforces prepared statements, Twig autoescaping, per-request CSRF tokens, SSRF guards, AES-256-GCM encryption at rest, and HMAC-SHA256 webhook signing out of the box. This guide explains what OwnPay provides by default and what you must configure and maintain as the operator of a self-hosted installation.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/own-pay/OwnPay-Documentation/llms.txt
Use this file to discover all available pages before exploring further.
Encryption at Rest
Customer PII Encryption
All customer personally identifiable information is encrypted before being written to the database:| Field | Storage |
|---|---|
| Name | AES-256-GCM encrypted |
| AES-256-GCM encrypted + SHA-256 hash for lookup | |
| Phone | AES-256-GCM encrypted + SHA-256 hash for lookup |
| Gateway API credentials | AES-256-GCM encrypted |
Secrets Management
Never store secrets in code, configuration files tracked by version control, or plaintext on disk:.env is excluded from version control:
.env, signing keys, or any secrets — these are generated at install time.
Webhook Signature Verification
Every outbound webhook is signed with HMAC-SHA256 using the brand’s webhook secret. Receiving applications must verify the signature before processing any webhook payload.Always pass the raw request bytes to the HMAC function. Decoding JSON and re-encoding it changes whitespace and produces a different signature. In Express, use
express.raw({ type: 'application/json' }) to capture the raw body before any middleware parses it.API Key Scopes and Minimum Privilege
OwnPay API keys carry one of three scopes. Assign the minimum scope required for each integration:| Scope | Permitted Operations | Use For |
|---|---|---|
read | GET endpoints — list transactions, customers, reports | Dashboards, reporting scripts |
write | POST/PUT/PATCH — create payments, issue refunds, manage customers | E-commerce backend, billing systems |
admin | Admin API (/api/admin/v1/*) — system settings, key generation | Internal ops tooling only |
- Create separate keys for each application or integration — never share a key between systems
- Use
readscope whenever write access is not required - Rotate keys quarterly or immediately after a suspected compromise
- Store keys in environment variables or a secrets manager, never in source code
- Keys are shown in plaintext only once upon creation — store them immediately
Two-Factor Authentication
Enable TOTP two-factor authentication for every admin and staff account that has access to financial data.Scan QR Code
Scan the QR code with any RFC 6238-compatible authenticator app (Google Authenticator, Authy, 1Password, Bitwarden).
Double-Entry Ledger Integrity
The ledger is the source of financial truth. These rules must never be violated:- Never write directly to
op_ledger_entries— all posts must go throughLedgerService::postEntries(), which validates balanced journals usingbccomp()at four-decimal precision - Never modify posted entries — the ledger is append-only; corrections are made by posting reversals
BalanceVerificationJobalerts must be investigated immediately — a mismatch means a transaction completed without a corresponding ledger post- bcmath only — all financial arithmetic must use bcmath string operations. Floats are prohibited in any money calculation
HTTPS and TLS Requirements
OwnPay enforces HTTPS at the application level:SecurityHeadersMiddlewareaddsStrict-Transport-Security: max-age=31536000; includeSubDomainson all HTTPS responsesX-Frame-Options: DENYprevents clickjacking on all pagesX-Content-Type-Options: nosniffprevents MIME-type sniffing attacksContent-Security-Policywith a per-request nonce blocks unauthorized inline scripts
- Terminate TLS with a valid certificate (Let’s Encrypt works for custom domains)
- Redirect all HTTP to HTTPS at the web server (Nginx/Apache) level
- Use TLS 1.2 or higher; disable TLS 1.0 and 1.1
Regular Backups
OwnPay does not manage your backups — you must configure this independently. Database backup:.env— containsAPP_KEY,ENCRYPTION_KEY, andJWT_SECRETstorage/— logs, cache, queue, and session datamodules/— any custom gateway or addon plugins
Security Hardening Checklist
Minimum Security (All Deployments)
Minimum Security (All Deployments)
- HTTPS with a valid TLS certificate on all domains
-
APP_DEBUG=falsein production.env - Strong, unique admin password (12+ characters, mixed case, numbers, symbols)
- OwnPay kept up to date — apply security patches immediately
- Daily encrypted database backups stored offsite
-
storage/,.env, andvendor/not accessible via web server
Standard Security (Recommended for All)
Standard Security (Recommended for All)
- Everything in Minimum, plus:
- TOTP 2FA enabled for all admin and staff accounts
- API keys scoped to minimum privilege; separate key per integration
- Webhook signature verification implemented on all receiving endpoints
- IP allowlist configured for admin routes if your team has fixed IPs
- Audit log review weekly for suspicious activity
- API keys rotated quarterly
-
CACHE_DRIVER=redisandQUEUE_DRIVER=redis(reduces attack surface vs. file-based)
High Security (Regulated Industries / Large Transaction Volumes)
High Security (Regulated Industries / Large Transaction Volumes)
- Everything in Standard, plus:
- Hardware security key for admin 2FA (FIDO2/WebAuthn)
- Web Application Firewall (WAF) in front of the server
- Intrusion detection system (IDS/IPS)
- Real-time log monitoring and alerting
- Annual penetration testing by an independent party
- Quarterly vulnerability scans
- Network segmentation (database server not publicly accessible)
- Dedicated security review before major updates
Audit Log Integrity
Every admin action is logged inop_audit_log with actor, entity, old/new values, IP address, and timestamp. Each entry is cryptographically signed — a tampered entry can be detected by running the integrity scan from Admin → Reports → Audit Log → Verify Integrity.
- Audit logs must be retained for compliance (minimum 1 year for financial records; check your jurisdiction)
- Periodically archive old entries rather than deleting them
- The
LogSanitizerstrips passwords, tokens, and card data from all log output — verify that any custom logging you add does the same
AGPL-3.0 License Compliance
If you run a modified OwnPay installation as a network service accessible to users other than yourself or your organization, the AGPL-3.0 requires that you make your modifications available under the same license. Key points:- Running OwnPay privately for your own business: no special obligations
- Distributing OwnPay as part of a product: include the full AGPL-3.0 license text
- Running a modified version as a public SaaS: source of modifications must be available to users