Documentation Index
Fetch the complete documentation index at: https://docs.revtain.com/llms.txt
Use this file to discover all available pages before exploring further.
Security Layers
| Layer | Technology | Description |
|---|---|---|
| Secrets at Rest | AES-256-GCM | All gateway credentials encrypted before database storage |
| Transport | TLS 1.2+ | All API traffic encrypted in transit |
| API Keys | Cryptographic Random | 24-byte keys with rev_ prefix (base64url encoded) |
| Webhook Signatures | HMAC-SHA256 | Every outbound webhook signed with the client’s webhookSigningSecret |
| Card Vault | PCI DSS Level 1 Certified Vault | Card data is processed and stored by a certified payment vault — never on Revtain application servers |
| Data Isolation | Isolated Vault Environments | Each client gets an isolated payment vault environment |
| Resilience | Exponential Backoff | Outbound gateway calls retry with backoff on 5xx errors |
| Rate Limiting | Per-API-Key | 60 requests/min on recovery; 10/min on tokenize |
Card Data Handling
Revtain does not store, process, or transmit raw card numbers on its own servers.Fast Track Clients
Card data stays entirely within your existing payment stack. Revtain only receives gateway tokens.
Engine Room Clients
Card data flows directly to a PCI DSS Level 1 certified payment vault.
API Key Security
- Never expose in client-side code, public repos, or logs
- Store in environment variables or a secret manager (AWS Secrets Manager, Vault, etc.)
- Rotate immediately if you suspect compromise — contact support@revtain.com
- Use separate keys for different environments (dev, staging, production)
Webhook Signature Verification
All outbound webhooks include anX-Revtain-Signature header. Always verify before processing — see the Webhooks Guide for code examples.