Skip to main content

Security Options

Written by GoKart Support

To ensure secure communication between your systems and GoKart, it is essential to implement the following security measures listed below.

These steps help protect your data and ensure that only authorized requests are processed.

Whitelist GoKart IP Addresses

To secure your API endpoints, add GoKart's IP addresses to your whitelist. This ensures that only requests originating from GoKart's servers are accepted, protecting your system from unauthorized access.

Steps to Whitelist GoKart IP Addresses

  1. Obtain the list of GoKart IP addresses by asking the customer service chat on the bottom right.

  2. Add these IP addresses to your server's firewall or security settings

  3. Configure your API endpoint to accept requests only from these whitelisted IP addresses

Apply Secret Key

GoKart can send a secret API token/key with each request to authenticate and secure the communication. These tokens are stored as encrypted text within GoKart, adding an extra layer of security.

You can configure both the header name and the secret value directly in your GoKart callback security settings.

1. Define a Custom Header Name/Key

You can specify the header that GoKart will use when sending requests.

Examples:

  • X-Api-Token

  • X-Webhook-Secret

  • Any custom header name that fits your internal standards

2. Set Your Secret Value

You define your own secret token value and store it in the GoKart settings.

  • This value is encrypted at rest in GoKart

  • It is never exposed in client-side code

  • You are responsible for securely storing it on your server

How GoKart Sends the Secret Token

For every webhook or callback request, GoKart will include:

  • The custom header name you configured

  • The secret value you defined

Example:

X-Api-Token: your-secret-value

Notes

  • You can update the header name and secret value at any time in the security settings

  • The request header key & values will clear after you save for security purposes

  • This mechanism is often used alongside IP whitelisting for additional security

Validating Incoming Requests

When a request is received:

  1. Validate the Secret API Token

    • Read the configured header from the request (e.g. X-Api-Token)

    • Compare the value against your stored secret token

  2. Validate the Source IP

    • Check the request’s originating IP address

    • Ensure it matches your approved IP whitelist

Related Articles
Conversion and Reward Statuses
Authentication
What Happens if the Callback Fails
Singular Cost Reporting API (Developer Documentation)
Authentication
Did this answer your question?