Connections (BYOK)
Reevit operates on a Bring Your Own Key (BYOK) model. This means you connect your existing payment service provider (PSP) accounts (like Paystack, Hubtel, or Stripe) directly to Reevit. You maintain full ownership of your funds and provider relationships while leveraging our orchestration layer for unified operations.
π The BYOK Advantage
π’ For Business Strategy
- Direct Settlement: Funds are settled directly into your own PSP accounts. Reevit never touches your money.
- Better Rates: Negotiate your processing fees directly with providers based on your volume. We donβt add markups to your transaction costs.
- Zero Lock-in: Your data and customer payment tokens belong to you. If you choose to stop using Reevit, your provider accounts remain active.
- Unified Security: Store all your API keys in one encrypted Vault instead of scattering them across multiple service environments.
π» For Engineering Control
- Abstracted Credentials: Manage multiple keys for different regions (e.g., Paystack Ghana vs. Paystack Nigeria) under a single
connection_id.
- Capability Mapping: Reevit automatically knows which connection to use based on the currency and method in the payment request.
- Health Monitoring: Every connection has a real-time health score. If a providerβs API starts failing, Reevit detects it and shifts traffic to your fallbacks.
π οΈ Setting Up a Connection
1. Collect your PSP Keys
Log into your providerβs dashboard (e.g., Paystack Settings) and copy your Secret Key and Public Key.
2. Register the Connection
Use the Reevit Dashboard or API to link the keys.
import { Reevit } from '@reevit/node';
const connection = await reevit.connections.create({
id: 'paystack_gh_primary',
provider: 'paystack',
mode: 'live',
credentials: {
secret_key: 'sk_live_xxx',
public_key: 'pk_live_xxx'
},
capabilities: {
methods: ['card', 'mobile_money'],
countries: ['GH']
}
});
π Supported Ecosystem
Reevit is built to support the most reliable providers in African and Global markets:
| Region | Providers | Best Known For |
|---|
| Ghana | Hubtel, Paystack, Flutterwave | Dominant Mobile Money (MTN, Telecel, AT) |
| Nigeria | Paystack, Monnify, Flutterwave | High success rates & Bank Transfers |
| Global | Stripe | Card acceptance in 50+ countries |
π Field Reference
| Field | Type | Required | Description |
|---|
id | string | β
| Your custom identifier for the connection (e.g., paystack_gh_primary). Must be unique within your organization. |
provider | string | β
| The PSP type. Supported: paystack, hubtel, flutterwave, monnify, stripe, mpesa. |
mode | string | β
| live for production, sandbox for testing. Must match your PSP key environment. |
status | string | | active or inactive. Inactive connections are ignored by the router. Default: active. |
credentials | object | β
| Provider-specific API keys (e.g., secret_key, public_key). Encrypted at rest. |
labels | string[] | | Tags for categorization and routing (e.g., ["primary", "ghana", "fallback"]). |
capabilities | object | | Defines supported methods (e.g., card, mobile_money) and countries (e.g., GH, NG). Auto-detected if omitted. |
routing_hints | object | | Advanced: hints for cost/latency optimization. |
Understanding labels
Labels are metadata tags that power intelligent routing and organization:
- Routing Hints: Tag connections as
primary or fallback to influence failover behavior.
- Regional Grouping: Use labels like
ghana, nigeria to logically group connections by market.
- Custom Segmentation: Apply any label that makes sense for your business, such as
high-volume or testing-only.
// Example: Creating a connection with labels
await reevit.connections.create({
id: 'hubtel_gh_fallback',
provider: 'hubtel',
mode: 'live',
credentials: { client_id: '...', secret: '...' },
labels: ['fallback', 'ghana', 'momo-only']
});
π Credential Security
Reevit takes the security of your PSP credentials seriously. When you create a connection, your sensitive keys are protected using industry-standard encryption.
Encryption at Rest
All credentials stored in Reevit are encrypted using AES-256-GCM:
- Credentials are encrypted immediately upon receipt
- Encryption keys are managed via hardware security modules (HSM)
- Reevit staff never see your credentials in plain text
Credential Access
Your credentials are only decrypted when:
- Processing a payment that routes to this connection
- Testing the connection via the test endpoint
- You explicitly request credential retrieval (via API)
Security Best Practices
-
Use separate credentials per environment
// Sandbox - never use test keys in production
await reevit.connections.create({
id: 'paystack_sandbox',
mode: 'sandbox',
credentials: { secret_key: 'sk_test_...' }
});
// Production - use live keys only
await reevit.connections.create({
id: 'paystack_live',
mode: 'live',
credentials: { secret_key: 'sk_live_...' }
});
-
Never expose credentials in logs or error messages
- Reevit automatically masks credentials in logs
- Never print credentials to console in your application
-
Rotate credentials regularly
- Most PSPs allow key rotation without service interruption
- Update credentials via the API when rotating:
await reevit.connections.update('paystack_live', {
credentials: { secret_key: 'sk_live_new_key...' }
});
-
Use webhook secrets for signature verification
await reevit.connections.create({
provider: 'stripe',
credentials: {
secret_key: 'sk_live_...',
stripe_webhook_secret: 'whsec_...' // For webhook verification
}
});
BYOK Model: Your credentials remain your property. Reevit never shares them with third parties or uses them for any purpose other than processing your payments.
β
Best Practices
- Redundancy is Key: Always have at least two connections for your primary market (e.g., Hubtel + Paystack for Ghana). This enables Smart Routing.
- Environment Matching: Ensure your
mode (live/sandbox) matches the PSP keys you are using.
- Regular Rotation: Rotate your provider secret keys every 90 days as part of your security protocol. Reevit makes this seamless via the
update API.
