Security
How we protect partner integrations and end-user funds.
API key handling
Partner keys (ema_pk_...) are server-to-server credentials. Never embed them in mobile or browser apps. Proxy all partner calls through your backend.
User session JWTs
Mint 7-day JWTs via POST /v1/partner/users/:id/session for end-user clients. JWTs authorize standard Min user routes — not partner admin operations.
Webhook verification
All outbound webhooks include X-Ema-Signature (HMAC-SHA256). Verify signatures with your webhook secret before processing deposit.credited or withdrawal.finished events.
Compliance gates
Withdrawals require completed KYC profiles and whitelisted payout addresses. Partner API respects the same admin approval flows as the Min mobile app.
Tenant isolation
Partner users are scoped under partner_id. The same email can exist on the main Min app and under your tenant without conflict.
Scopes
API keys are issued with granular scopes: users, wallet, deposits, withdrawals, compliance, airfarming, vip, webhooks. Request only what you need.