Security
Encryption in transit, authentication, webhook signatures, IP allowlisting, status, and compliance.
Transport security
All Buró de Ingresos endpoints require TLS 1.3. Connections using older TLS versions are rejected.
Authentication
All requests authenticate using an API key sent in the X-API-Key header.
curl https://api.burodeingresos.com/verifications \
-H "X-API-Key: your-api-key" \
-H "Content-Type: application/json"Manage your API keys from the Developers section in console.burodeingresos.com. Keep your API key secret. Never commit it to source control, expose it in client-side code, or share it across teams.
Webhook signatures
Every webhook event includes an X-Signature header computed as HMAC SHA-256 over the raw body using your secret_key. See Webhooks for the verification procedure and a Node.js example.
Outbound IP allowlisting
If your webhook endpoint restricts inbound traffic by IP, fetch the current outbound IP list from GET /outbound_ips. See the Get Outbound IP Addresses API reference for the response shape and the Webhooks guide for recommended refresh cadence.
Status and availability
Real-time API status, incidents, and scheduled maintenance are published at status.burodeingresos.com.
Compliance
Buró de Ingresos is certified under ISO-27001. All personal data is processed in compliance with the Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP).
Updated 8 days ago