Requirements for securing API calls

When dealing with monetary transactions, the highest level of security must be obtained and maintained at all architectural levels. This applies both to the client using the service and the provider of the service.

The password of the user account must be chosen with care and should be unique, not similar to any other password being used within the organisation. Also, make sure passwords are not visible in log files.

All communication between services, both internally between servers, and externally with Internet servers, is encrypted using SSL to prevent eavesdropping.


TLS version

Please note that TLS 1.2 must be used for all requests that are sent to Trustly's API. TLS 1.0 and TLS 1.1 are no longer supported.

The entire system is fully redundant, both at the software component level and the physical level.



Trustly's server certificates are rotated on a yearly basis (sometimes more frequent) without prior notice. It's important that you trust the certificate hierarchy when communicating with Trustly's API. Certificate "pinning" should not be used.