Security
Minimal data, maximum control
Holdify never sees your request bodies, customer passwords, or payment data. We only need the API key and resource to make a decision.
Server-side secrets
API keys and webhook secrets stay on your server. Never expose in client code.
Signed webhooks
Verify Polar webhook signatures before processing. Reject invalid requests.
Least privilege
Scopes limit what each key can do. Separate test and production environments.
Audit trail
Every decision logged with timestamp, policy, and outcome.
What we don't need
Your sensitive data stays where it belongs: with you.
API request bodies
we only see the key
Customer passwords
authentication is yours
Payment card data
Polar handles billing
Found a security issue?
Email us with reproduction steps and impact. We'll respond within 48 hours.
security@holdify.io