Before being able to promote to or provide Betfair users with a product or service via the Betfair API, Vendors are required to complete our certification process. This certification process is designed to help protect our users' sensitive data and to guide you in delivering a secure, compliant solution.
Part A: Application Security Certification
Broadly speaking we need to ensure that customers can use their accounts in a secure fashion, without the possibility of hijacking, misuse or in any form of malicious activity.
Please ensure that you have a documented SLA in place for your services being available and that you have plans for handling a malicious attack.
All security, technical and product requirements need to be met prior to the app being approved.
Security Authorisation Checklist :
- 1 An application may not communicate with the API through a proxy of any description. All communications must be directly with the API* and over a secure channel.
- 2 A Vendor must not have visibility of a user's Betfair username, password or any other sensitive data that may link a user of a product to a Betfair account.
- 3 An application must communicate directly with Betfair via the API to validate a customer.
- 4 An application must not store or log the username or password in plain text. If the user has chosen to store their username or password locally (by performing an explicit action to indicate their wish to do so) it should be encrypted (AES with minimum 128 bits key length).
- 5 An application must display an agree/disagree model dialog to the user when the user indicates a desire to store their username and/or password locally. The default action of the dialog should be to not save the details.
- 6 An application must use the Vendor-registered user ID (not the Betfair username) credentials to validate subscriptions, fetch news and update the application and all other Vendor/application specific communication.
- 7 The provisioning of the account to use the application with the Betfair API must be via API-NG Vendor Services operations
- 8 The Application Key must be obfuscated from the end user.
- 9 The application must provide a 'Log-out' function to enable the customer to end their session.
*Web Apps are exempt from this requirement but must utilise the Web App operations made available for this purpose. If you are developing a web-based app, please contact us via the Getting Started process for further information.
If applications are found to be unlicensed and/or non-compliant with the above requirements, Betfair reserve the right to suspend the application and/or applicable accounts.