Security
We deeply understand the importance of data security for payment initiation business. We adopt the following measures to ensure the security of communication
All requests must be done using HTTPS and our access tokens have expiration time definitions according to the Brazilian Open Finance specifications.
Our keys are all secured by AWS CloudHSM, which is FIPS verified hardware. Passwords saved on our database are always encrypted with high security algorithms (RSA256).
We use AWS as the infrastructure and strictly follow cloud native best practices in terms of compliance, network isolation VPC, resource access rights, vulnerability detection, etc.
To ensure webhook notifications reach your webhook listener server, you must add the following Klavi IP addresses to your firewall’s allowlist:
Environment | IP Address |
---|---|
Sandbox | 18.231.92.86 |
Testing | 18.231.92.86 |
Production | 18.230.43.17 |
No matter how you receive shared data, the export IP addresses for Klavi's various environments are as shown above. If partners have stricter security requirements, you can only allow access to the above IP addresses.