tchop Logo

Platform

Solutions

Resources

Company

EN

Login

tchop Logo
EN

Login

tchop Logo
EN

Login

Grid pattern

🔗 API Security

Understand how we protect the connection between our backend and all clients via secure APIs.

How we secure API communication

tchop uses a headless, API-first architecture. The backend, web app, and native mobile apps are fully decoupled – every client communicates with the backend exclusively through our API. This means API security is not an add-on. It is the foundation of how the platform works.

Architecture

tchop’s backend exposes both REST and GraphQL APIs. Web frontends and native mobile apps are treated as independent clients that connect over the API. This decoupled design offers several security benefits:

  • Service isolation – each component operates independently, limiting the blast radius if one part is compromised.

  • Single point of enforcement – all security policies (authentication, authorisation, rate limiting) are enforced at the API layer.

  • Independent deployment – mobile apps, web frontends, and the backend can be updated without affecting each other.

All API endpoints are documented via OpenAPI / Swagger, giving clients a clear, versioned contract for every request and response.

Authentication and authorisation

Every API request must be authenticated. tchop uses OAuth 2.0 as the authorisation framework, combined with a token-based authentication model and dedicated client credentials:

  • API Client ID – each client (web app, iOS app, Android app, third-party integration) is issued a unique client identifier sent via a custom header.

  • Auth Token – each authenticated session uses a secure token that must be included with every request.

  • Token expiration – sessions can be configured to expire after a defined period, forcing re-authentication.

  • Key rotation – client credentials can be rotated without downtime. If a key is compromised, it can be invalidated immediately and replaced.

  • JWT support – for third-party integrations (e.g. Microsoft Teams, Supabase), tchop generates and validates JSON Web Tokens (JWT) on the backend.

No API request is processed without valid credentials. Unauthenticated requests are rejected before reaching the application logic.

SSO and enterprise authentication

For enterprise clients, tchop supports Single Sign-On (SSO) via standard protocols:

  • OIDC (OpenID Connect) – supported through providers like FusionAuth and others.

  • SAML – available for enterprise identity providers.

  • Token exchange – for embedded integrations (e.g. Microsoft Teams), tchop handles SSO token exchange so users are authenticated without a separate login step.

This means your employees or users authenticate with their existing identity provider. No separate passwords to manage.

Transport security

All API communication is encrypted in transit using TLS (Transport Layer Security):

  • Every API call between clients and the backend runs over HTTPS.

  • SSL certificates are managed and renewed automatically.

  • NGINX serves as a reverse proxy in front of the API, handling TLS termination, request filtering, and connection management.

  • SSL pinning – native iOS and Android apps use certificate pinning to prevent man-in-the-middle attacks, even on compromised networks.

  • No plaintext HTTP connections are accepted.

Secure token storage on devices

Authentication tokens on mobile devices are stored using the platform’s secure storage mechanisms:

  • iOS – tokens are stored in the iOS Keychain, Apple’s encrypted credential storage.

  • Android – tokens are stored in the Android Keystore, Google’s hardware-backed security module.

This ensures that tokens cannot be extracted from the device, even if the file system is accessed.

Infrastructure protection

Beyond authentication and encryption, the API infrastructure includes additional layers of protection:

  • AWS WAF (Web Application Firewall) – filters and blocks malicious traffic before it reaches the API, protecting against common attack patterns like SQL injection, cross-site scripting (XSS), and request flooding.

  • Rate limiting – protects against brute-force attacks and API abuse.

  • CORS policies – restrict which domains can make API requests, preventing unauthorised cross-origin access.

  • Input validation – all API inputs are validated and sanitised before processing.

Monitoring and incident response

API activity is continuously monitored as part of our ISO 27001 certified ISMS:

  • Unusual access patterns trigger alerts.

  • All API access is logged for audit purposes.

  • Incident response procedures are documented and tested.

  • The platform supports forced app updates to quickly deploy security patches to all clients.

Summary

  • tchop uses a headless, API-first architecture where all clients connect through secure APIs.

  • OAuth 2.0 with token-based authentication and dedicated client credentials protects every request.

  • Client credentials can be rotated instantly without downtime.

  • SSO via OIDC, SAML, and token exchange is supported for enterprise clients.

  • All API traffic is encrypted via TLS/HTTPS with SSL pinning on native mobile apps.

  • Auth tokens are stored securely in iOS Keychain and Android Keystore.

  • AWS WAF, rate limiting, CORS policies, and input validation protect against common attack vectors.

  • These measures are part of our ISO 27001 certified ISMS, audited by TÜV Süd.

Need help with a security questionnaire or API integration review? Reach out to us at support@tchop.io.

Want to test your app for free?

Experience the power of tchop™ with a free, fully-branded app for iOS, Android and the web. Let's turn your audience into a community.

Request your free branded app

Want to test your app for free?

Experience the power of tchop™ with a free, fully-branded app for iOS, Android and the web. Let's turn your audience into a community.

Request your free branded app

Want to test your app for free?

Experience the power of tchop™ with a free, fully-branded app for iOS, Android and the web. Let's turn your audience into a community.

Request your free branded app

All-in-one solution to build engaged communities

TÜV SÜD ISO/IEC 27001 badge
Linkedin
x.com
instagram
Medium

PLATFORM

Features

Mobile Apps

Web App

Content Management

Content Curation

Chat

Engagement Tools

Integrations

Browser Plug-in

USE CASES

Employee App

Executive App

News App

Community App

PERFECT FOR

Enterprise

Agencies

Media & Publishing

Startups

RESOURCES

Knowledge Base

Privacy Policy

Blog

Customer Success

Security

Glossary

Developers

Help Center

COMPANY

About Us

Newsroom

Our Philosophy

Work with us

Contact Us

© tchop GmbH 2024

Legal Notice

&

Terms Of Service

Made with 🤍 in Berlin 

All-in-one solution to build engaged communities

Linkedin
x.com
instagram
Medium
TÜV SÜD ISO/IEC 27001 badge

PLATFORM

Features

Mobile Apps

Web App

Content Management

Content Curation

Chat

Engagement Tools

Integrations

Browser Plug-in

USE CASES

Employee App

Executive App

News App

Community App

PERFECT FOR

Enterprise

Agencies

Media & Publishing

Startups

RESOURCES

Knowledge Base

Privacy Policy

Blog

Customer Success

Security

Glossary

Developers

Help Center

COMPANY

About Us

Newsroom

Our Philosophy

Work with us

Contact Us

© tchop GmbH 2024

Legal Notice

&

Terms Of Service

Made with 🤍 in Berlin 

All-in-one solution to build engaged communities

TÜV SÜD ISO/IEC 27001 badge
Linkedin
x.com
instagram
Medium

PLATFORM

Features

Mobile Apps

Web App

Content Management

Content Curation

Chat

Engagement Tools

Integrations

Browser Plug-in

USE CASES

Employee App

Executive App

News App

Community App

PERFECT FOR

Enterprise

Agencies

Media & Publishing

Startups

RESOURCES

Knowledge Base

Privacy Policy

Blog

Customer Success

Security

Glossary

Developers

Help Center

COMPANY

About Us

Newsroom

Our Philosophy

Work with us

Contact Us

© tchop GmbH 2024

Legal Notice

&

Terms Of Service

Made with 🤍 in Berlin