Security & Authentication


All communication with Tango Card’s RaaS API is handled over SSL, a commonly-used protocol for managing secured message transmissions on the Internet. As a result, clients of the RaaS API need to ensure that you have the chain (intermediate) certificate in place on your server. This is important as not having the chain certificate in place will (at best) disallow communication or (at worst) expose you to the potential for man-in-the-middle attacks. To accomplish this, we recommend you add the Certificate Authorities (CA’s) cert to your system’s trusted list. If that’s not possible, an alternative is to include the certificate in your application. Major CAs deliver a ‘bundled’ file containing the complete certificate chain providing a single installation method for the certificate.

Certificate Authority

We use Amazon Web Services (AWS) to create our SSL certificates. You can get AWS’s root and intermediate certificates from AWS Docs: Server Authentication Certs. If you choose to reference the certificate chain from your application’s code, the details on how to do this are highly specific to the library being used to make the connection, but here are a few examples to demonstrate the idea:

https ='', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = File.join(File.dirname(__FILE__), "../ca_certs/AmazonRootCA1.pem")
$curl = curl_init('');
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($curl, CURLOPT_CAINFO, __DIR__ . "../ca_certs/AmazonRootCA1.pem");
import requests
from requests.auth import HTTPBasicAuth
# SSL verify-peer is used by default.
requests.get('', auth=HTTPBasicAuth(username, password))

One thing to take note of in the Ruby & PHP examples is that OpenSSL is being instructed to “VERIFY PEER”. This setting is essential as without it you will know that your communication is encrypted, but you won’t know who it is you’re talking to.

Authentication & Credential Handling

All calls require the platform’s authentication credentials. Authentication credentials are sent using HTTP Basic auth with the platform name as the username and the platform access key as the password. These will be assigned by Tango Card.

The platform will be responsible for handling access to its accounts (e.g. not allowing ACC1 to place an order using ACC2’s account). Requests from authenticated platforms against their accounts will be implicitly trusted.

Tango Card will only provide Platform Keys via secure methods such as Dashlane or Lastpass. Never email platform keys or store them on a shared drive.

Cross-site Scripting (XSS) and Malicious Behavior

Tango Card may reject requests based on content or behavior that could be exploitative in nature. This includes requests containing insecure characters or not consistent with OWASP Top 10 guidelines.