Security
Authentication
uPayments uses NextAuth.js v5 with JWT sessions. Passwords are hashed with bcrypt (12 rounds).Two-Factor Authentication
Enable 2FA from Settings → Security:- Click Enable 2FA
- Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password)
- Enter the 6-digit code to verify
- Save your backup codes — these are one-time-use recovery codes
Password Management
Change your password from Settings → Profile → Change Password. Requires your current password.Active Sessions
View all active sessions from Settings → Security. Each session shows:- Device and browser (e.g. “Chrome on macOS”)
- IP address and location (via ipinfo.io)
- Last active timestamp
Access Control
Role-Based Permissions
40+ granular permission keys control access:| Area | Permissions |
|---|---|
| Transactions | view, refund |
| Customers | view, create, edit |
| Invoices | view, create, edit, delete, send |
| Payment Pages | view, create, edit, delete |
| Settings | view, edit |
| Users | view, manage, delete |
| Reports | view, create |
Tier-Based Feature Gating
Features are gated by subscription tier. Locked features show a blurred preview with an upgrade CTA.Data Security
- NMI API keys encrypted at rest with AES-256-GCM
- No raw card data stored — PCI compliance via Collect.js tokenization
- Row Level Security (RLS) on all database tables
- HMAC-SHA256 webhook signatures
- bcrypt password hashing (12 rounds)
Advanced Security (Scale Tier)
- SSO (SAML) — Single sign-on with your identity provider
- IP Whitelist — Restrict dashboard access by IP/CIDR
- Audit Logs — Full audit trail of all actions