[sneak]

Defaults matter. Make the api client encrypt everything it sends to you, so you never handle unencrypted customer data.

[skaiser]

Oh for sure, I just haven't thought of a way to enforce that the payload be encrypted because there are so many different methods to do that and most of them still result in a string...

Do you have any advice or suggestions for how to enforce that?

I'll definitely add some docs to encourage it though; thanks for the suggestion!

[sneak]

When I say “make”, I mean in your own api client library. It should happen automatically so the user doesn’t have to think about it.

You can provide some functions for the webhooks so targeted to authenticate and decrypt the stuff posted to them.

[skaiser]

Ah gotcha. Yea we'll 100% include that as part of our SDK. Thanks for clarifying!