Integrating the Tunic Pay APP Prevent API

As well as integrating our SDK into your application, you will also want your application to be able to communicate with our APP Prevent API. There are two options for doing so:

1. Running the Prevent Relay: We provide a lightweight proxy for our API that you can run withinin your own infrastructure.
2. Calling our API directly: You can instead use our public API at api.prevent.tunicpay.com.

Prevent Relay is the best option for most use cases

We recommend running the Prevent Relay in your own infrastructure for the best DevX, observability and security.

We prefer the first option as it:

• Allows backhaul between our services and yours to run over a private network on either AWS or GCP (using PrivateLink or Private Service Connect respectively)
• Gives you full control over authorization
• Provides a clear audit trail with customizable logging and monitoring within your existing infra and inspection of any customer data within every payload through simple middleware with onRequest and onResponse hooks
• Enables the best DevX with a deterministic testing mode that is preloaded with fixed responses and needs no network connection, facilitating easy local development and automated testing

There’s a diagram of each option below showing the journey of one request from a user’s device to our API.

Deployment options

Running the Prevent Relay

Our Prevent Relay is a lightweight proxy for our API that you can run within your own infrastructure with a rich middleware interface for:

• authorizing requests
• logging and telemetry
• auditing data processed
• reacting to the Prevent session lifecycle

It provides the best DevX with options for local development, automated testing and staging environments. This allows you to test your integration end-to-end without needing to connect to our API.

Once you’ve set up the Prevent Relay and configured your app to use it, your Relay connects to our API using mTLS (over a private connection in AWS or GCP) to ensure a secure connection between your infrastructure and ours without your having to share secrets with us.

Remember to update TP_BASE_URL

If using the Prevent Relay in your own infrastructure, you will need to build your app with the TP_BASE_URL arg set either in your build.gradle or as a CLI arg:

Example build commands

Gradle

build.gradle

android {
    productFlavors {
        prod {
            buildConfigField "string", "TP_BASE_URL", "https://my-secure-api.example.com"
        }
    }
}

CLI

CLI build session

./gradlew assembleProdDebug -PtpBaseUrl=https://my-secure-api.example.com

Calling our API directly

If you choose to call our API directly, your app will first need to get a token from us. This token is used to authenticate your requests to our API.

We implement a simple authorization logic when calling our app directly: a user can read/write all and only their own data. The assertion you provide to us should contain a stable identity across sessions to ensure a user can consistently access their own data.