Security Use HTTPS for all requests. Include the JWT as Bearer in the Authorization header after login. Protect idempotency keys per payment attempt to avoid duplicates.
