In order to protect the ecosystem, you must adhere to the following rules and best practices. Failure to do so will result in the revocation of your API key.

  1. Never ask users for their account credentials or credit card information. We support OAuth 2.0 authentication. When adding credit cards, we have a similar flow to OAuth 2.0. See more in the Authentication and Payment sections.
  2. Do not store or cache our data. This will certainly lead to bugs, as data tends to change frequently, and it also violates our terms of service. If you think a particular endpoint is too slow, please let us know and we’ll do our best to improve it.
  3. In the instance of alcohol or tobacco sales, certain guidelines must be followed. See the Legal Disclaimers section for more information.
  4. Adhere to our branding and attribution requirements.
  5. To prevent your transactions from being incorrectly flagged as fraudulent, you must send the customer’s actual data. Examples include, but are not limited to:
    1. The customer’s actual credit card data. Don’t use one card for all of your users.
    2. IP address. (Please specify the true client IP in http header “HTTP_X_FORWARDED_FOR“.)
    3. Email address.
    4. First and last name.
    5. Phone number.

For more detailed DO’s and DON’Ts (along with a healthy dose of legalese) please see our Terms of Service.