Please report suspected vulnerabilities privately through GitHub security advisories for this repository.

Do not open public issues for credential exposure, webhook verification bypass, or request replay concerns.

• Store MakePay credentials only in Directus server environment variables.
• Restrict payment-link creation endpoints before exposing them publicly.
• Verify webhooks with the raw request body whenever available.
• Persist processed event IDs in application code for idempotent reconciliation.