Lu71

Security

Built so that even if we are breached, attackers get nothing useful.

We Never Store Your Keys

Stripe connects via OAuth. When you authorize Lu71, Stripe gives us a connected account ID. We use that ID with our own platform key and the Stripe-Account header to act on your behalf. Your Stripe secret key never touches our servers. If our database is compromised, your Stripe account remains secure.

For Lithic, we store a restricted API key with disputes:write scope only. This key cannot read your card numbers, customer data, or make payments. It can only file and manage disputes.

Signed Intents

Every purchase intent is signed with HMAC-SHA256 using a server side secret. The signature covers the intent ID, customer ID, description, amount, currency, and creation timestamp. This means:

  • Nobody can fabricate a dispute after the fact. The intent must exist before the purchase.
  • Nobody can tamper with the intent details (change the amount, description, or timing).
  • The signature must be presented when filing a dispute. Without it, the dispute is rejected.

Two Factor Authentication

API key generation requires a valid TOTP code from an authenticator app (Google Authenticator, 1Password, Authy). This means even if someone gains access to your account password, they cannot generate keys to file disputes or access your data without physical access to your authenticator device.

Hashed API Keys

API keys are hashed with SHA-256 before storage. We only store the hash and a short prefix for display purposes. The full key is shown exactly once at generation time. If our database is leaked, the hashes cannot be reversed to obtain working API keys.

Payment Method Verification

Before generating API keys, you must add a verified payment method via Stripe Checkout (with 3D Secure verification). This prevents anonymous abuse. Every card is verified by the issuing bank before we accept it.

Webhook Signatures

Every webhook we send to your server is signed with your unique webhook secret using HMAC-SHA256. The signature is included in the x-lu71-signature header. You can verify that incoming payloads are genuinely from Lu71 and have not been tampered with in transit.

Key Expiry and Revocation

API keys support time based expiry (30 days, 90 days, 1 year, or never). Keys can be revoked instantly from the dashboard. Revoked or expired keys are rejected immediately. Activity tracking shows when each key was last used and how many requests it has made.

Summary

Stripe credentialsNever stored (OAuth only)
Intent signaturesHMAC-SHA256, tamper proof
API keysSHA-256 hashed, shown once
AuthenticationEmail + password + 2FA (TOTP)
Payment verificationStripe Checkout + 3D Secure
WebhooksHMAC-SHA256 signed
Key managementExpiry, revocation, activity logs