HomeGetting startedSolutionsPlatformsGlobal Integration
DocsRecipesAPI referenceChangelogAPI referenceRecipesChangelog
HomeGetting startedSolutionsPlatformsGlobal IntegrationLog in
Docs

Secure Communications

This guide provides client-server security information to help you ensure secure communications between your customer and your server.

Using TLS and HTTPS

TLS refers to the process of securely transmitting data between the client—the app or browser that your customer is using—and your server. This was originally performed using the SSL (Secure Sockets Layer) protocol. However, this is outdated and no longer secure, and has been replaced by TLS. The term “SSL” continues to be used colloquially when referring to TLS and its function to protect transmitted data.

Payment pages must make use of a modern version of TLS (e.g., TLS 1.2) as it significantly reduces the risk of you or your customers being exposed to a man-in-the-middle attack. TLS attempts to accomplish the following:

Encrypt and verify the integrity of traffic between the client and your server. Verify that the client is communicating with the correct server. In practice, this usually means verifying that the owner of the domain and the owner of the server are the same entity. This verification relies on a TLS certificate, a cryptographic credential issued by a trusted certificate authority (CA) that binds the server’s identity to its domain. This helps prevent man-in-the-middle attacks. Without it, there’s no guarantee that you’re encrypting traffic to the right recipient.
Additionally, your customers are more comfortable sharing sensitive information on pages visibly served over HTTPS, which can help increase your customer conversion rate.

If need be, you can test your integration without using HTTPS, and enable it once you are ready to accept live charges. However, all interactions between your server and Affirm must use TLS 1.2 (i.e., when using our libraries).

Certificate Pinning

Certificate pinning restricts your application to establish a secure HTTPS connection with certificate authorities (CAs) that you explicitly trust. Affirm recommends against Certificate Pinning to avoid potentially major outages during certificate rotations/changes. See blogpost from Cloudflare for another explanation.

❗️

Certificate Pinning Guidelines

  • If you must utilize Certificate Pinning, pin only the root TLS certificates.
  • Do not pin the entire certificate chain, the intermediate certificate, or the leaf certificate. If you do, you run a high risk of breaking your integration as Affirm updates certificates for our systems. For your integrations with Affirm, please ensure the following root certificates are all listed.

Please note that this is covering only TLS connections and not mTLS connections.

Root Certificates for Affirm Domains

Please see below for the root certificates for Affirm domains:

  • GTS Root R1
    • SHA-256 fingerprint: d9:47:43:2a:bd:e7:b7:fa:90:fc:2e:6b:59:10:1b:12:80:e0:e1:c7:e4:e4:0f:a3:c6:88:7f:ff:57:a7:f4:cf
  • GTS Root R2
    • SHA-256 fingerprint: 8d:25:cd:97:22:9d:bf:70:35:6b:da:4e:b3:cc:73:40:31:e2:4c:f0:0f:af:cf:d3:2d:c7:6e:b5:84:1c:7e:a8
  • GTS Root R3
    • SHA-256 fingerprint: 34:d8:a7:3e:e2:08:d9:bc:db:0d:95:65:20:93:4b:4e:40:e6:94:82:59:6e:8b:6f:73:c8:42:6b:01:0a:6f:48
  • GTS Root R4
    • SHA-256 fingerprint: 34:9d:fa:40:58:c5:e2:63:12:3b:39:8a:e7:95:57:3c:4e:13:13:c8:3f:e6:8f:93:55:6c:d5:e8:03:1b:3c:7d
  • GlobalSign R4
    • SHA-256 fingerprint: b0:85:d7:0b:96:4f:19:1a:73:e4:af:0d:54:ae:7a:0e:07:aa:fd:af:9b:71:dd:08:62:13:8a:b7:32:5a:24:a2
  • Certainly Root R1
    • SHA-256 fingerprint: 77:b8:2c:d8:64:4c:43:05:f7:ac:c5:cb:15:6b:45:67:50:04:03:3d:51:c6:0c:62:02:a8:e0:c3:34:67:d3:a0
  • Certainly Root E1
    • SHA-256 fingerprint: b4:58:5f:22:e4:ac:75:6a:4e:86:12:a1:36:1c:5d:9d:03:1a:93:fd:84:fe:bb:77:8f:a3:06:8b:0f:c4:2d:c2
  • Starfield Root Certificate Authority - G2
    • SHA-256 fingerprint: 2b:07:1c:59:a0:a0:ae:76:b0:ea:db:2b:ad:23:ba:d4:58:0b:69:c3:60:1b:63:0c:2e:af:06:13:af:a8:3f:92

You can verify and download the above root CA certificates from the following:

Supported Ciphers

Current List of Supported Ciphers as of 02/12/2025

  • AEAD-AES128-GCM-SHA2561
  • AEAD-AES256-GCM-SHA3842
  • AEAD-CHACHA20-POLY1305-SHA2563
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384

Supported Protocols and Ciphers

📘

Security Best Practices

Visit our Security Best Practices page to discover Affirm's recommendations and strategies for keeping sensitive information secure.

Updated 11 days ago