The term API refers to Application Programming Interface, which acts as an interface layer between software systems.
In today’s hyper-connected world, API security is no longer optional — it’s foundational.
At Remita, our APIs power critical financial services and remittance operations across Nigeria and beyond, robust security isn’t just a best practice; it’s our baseline.
This guide walks through the key concepts of authentication and authorization, while showing how Remita leverages industry-leading standards like HTTPS, JWT, and OAuth 2.0 to safeguard every transaction.
Basic API Features:
1. API Title:
[Insert API Name Here] E.g., Remita Payment Gateway API.
2. API Header:
The API header contains key-value pairs for authentication and additional configurations, as well as secret keys to ensure secure communication between the client and the server. Typically includes:Authorization: Bearer {access_token}
Content-Type: application/json
API-Key: {your_api_key}
3. API URL:
The URL typically follows this format:https://api.remita.net/api/v1/{endpoint}
Where:{endpoint} specifies the resource or functionalityhttps://api.remita.net is the base URLapi/v1 indicates the version
Example: https://api.remita.net/api/v1/payments/initiate
4. API Endpoints:
An API Endpoint is the exposed access point through which users or applications can interact with specific functionalities of an API.
| Endpoint | HTTP Method | Description |
/authenticate |
POST | Authenticate and retrieve access token |
/payments/initiate |
POST | Initiate a new payment |
/rrr/generate |
POST | Generate Remita Retrieval Reference (RRR) |
/billers |
POST | Retrieve list of available billers |
/transactions/history |
POST | Fetch user’s transaction history |
5. API Body:
Depending on the endpoint and API architecture, payloads are usually sent in JSON or XML. Below is a sample JSON payload to initiate a payment:
| api/json |
{ |
6. API method:
An API Method refers to the specific HTTP request type used to perform an action on a resource via an API. Each method defines the nature of the interaction with the data:
OPTIONS – Describe the communication options for the target resource.
GET – Retrieve data from the server (e.g., fetch user details).
POST – Submit data to the server to create a new resource (e.g., initiate a payment).
PUT – Update an existing resource completely (e.g., update user profile).
PATCH – Partially update an existing resource.
DELETE – Remove a resource from the server.
Securing APIs the Remita Way!
APIs are the gateways to your systems and data, and like any gate, they must be protected. Whether it’s processing payroll or managing remittances through our Public API Portal, ensuring that only verified users can access the right data is central to our infrastructure.
API Authentication helps to answer the “Who are you?” question, while API Authorisation answers: “What are you allowed to do?”. Before we dive deep, let’s touch on some common security threats, such as:
Token leakage: This occurs because of insecure storage or logging.
Man-in-the-Middle (MITM) attacks on unencrypted endpoints.
Privilege escalation occurs due to poor access controls.
Basic Authentication & HTTPS
Basic Auth involves sending your credentials (username and password) in the request header — encoded, not encrypted.
How It Works:
Authorization: Basic base64(username:password)
While simple to implement, Basic Auth should never be used without HTTPS. Without encryption, credentials can be intercepted in transit.
Risks:
- Easily compromised if HTTPS is not enforced.
- Credentials can be leaked if stored insecurely.
Remita Best Practices:
- Enforce HTTPS across all endpoints.
- Rotate credentials regularly.
- Never store credentials in the frontend or version control.
- JSON Web Tokens (JWT)
At Remita, we support JWT-based authentication for stateless, scalable API security. 
A JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6...
JWT Structure:
- Header: Signing algorithm (e.g., HS256).
- Payload: User data & claims.
- Signature: Verifies token integrity.
How It Works:
- You log in → receive a token.
- That token is sent with each request.
- The server validates it without storing session state.
Remita Best Practices:
- Use short-lived tokens.
- Implement refresh tokens for long sessions.
- Encrypt sensitive data inside JWTs.
PROS and CONS
| Pros | Cons |
| Stateless, scalable | Harder to revoke once issued |
| Easy to transmit via HTTP | Can be misused if not validated |
- OAuth 2.0 and OpenID Connect
Remita embraces the OAuth 2.0 framework to enable third-party integrations without compromising user credentials.
OAuth Roles:
- Resource Owner (You).
- Client (App).
- Authorization Server (Remita).
- Resource Server (API).
We implement OAuth flows that suit different applications:
| Flow Type | Use Case |
| Authorization Code | Web apps needing user login |
| Client Credentials | Machine-to-machine auth |
| Password Grant (Legacy) | Internal apps with direct credentials |
| Implicit Flow (Deprecated) | Not recommended due to security risks |
For identity verification, we layer OpenID Connect on top of OAuth to ensure secure, federated logins.
Remita Best Practices:
- Enforce PKCE(Proof Key for Code Exchange) for mobile clients
- lmplement least privilege using scopes
- Log and monitor OAuth token usage
- API Keys vs. Bearer Tokens vs. Session Auth
Different use cases call for different methods. Here’s a breakdown:
| Method | Best For | Security Level |
| API Keys | Simple internal integrations | Low-Medium |
| Bearer Tokens (JWT) | User-authenticated sessions | High |
| Session Cookies | Web apps with browser sessions | Medium |
At Remita, we prioritise bearer tokens and OAuth flows for all high-risk operations.
- Best Practices for API Security
Rate Limiting & Throttling
Prevent abuse and brute-force attacks by limiting request volume per user/IP.
Secure Credential Storage
Use Vaults, encrypted env variables, or Secrets Manager — never hard-code secrets.
Role-Based Access Control (RBAC)
Assign API permissions by user role and enforce scope-based access.
Continuous Monitoring
Log all access attempts, token usage, and anomalies. Enable alerts for suspicious behaviour.
Conclusion–Remita Walks the Talk
From Transport Layer Security (TLS)-encrypted endpoints to token-based auth, Remita’s API security stack is designed to give both developers and enterprises peace of mind.
Merchants are rest assured of a more secure end-to-end transaction based on the choice of the Remita API infrastructural design. This infrastructure layer adopts the best practices:
- Use OAuth 2.0 + JWT for secure, scalable auth
- Offer role-based access controls
- Conduct routine security audits
- Provide an easy-to-use Developer Portal to manage keys, tokens, and scopes
Explore Remita’s Secure APIs Today!
Get started with our APIs
