Pinrail Docs
GitHub

Authentication

Guidance for documenting public authentication and credential handling.

Authentication Model

Pinrail separates environments and credentials by purpose. Treat every credential as environment-scoped and least-privilege by default.

What To Expect

Public consumers should expect the following categories of access:

  • API credentials for operator or sponsor-facing REST calls
  • webhook signing secrets for inbound event verification
  • user credentials for browser-based TMS access where applicable
  • environment-specific non-production credentials for sandbox testing

Environment Separation

Keep sandbox and production credentials completely separate.

  • do not reuse webhook secrets across environments
  • do not point sandbox terminals at production endpoints
  • rotate API credentials and webhook secrets independently
  • document the owning team and intended integration for every issued credential

Rotation Guidance

When rotating credentials:

  1. Create the replacement secret in the target environment.
  2. Update the consuming application before revoking the prior value.
  3. Validate API access or webhook verification with a smoke test.
  4. Remove the previous credential and update your internal runbook.

What Should Not Be Published

Do not place any of the following in this repo:

  • internal admin credentials
  • production-only internal endpoints
  • PCI-sensitive implementation details
  • secrets or live tokens

Glossary

Common ATM, payments, and Pinrail terms used throughout the docs.

Terminal Management

Public guidance for terminal inventory, connectors, routing, and provisioning workflows.

On this page

Authentication ModelWhat To ExpectEnvironment SeparationRotation GuidanceWhat Should Not Be Published