...
The API interfaces require the use of a URL of the SAS server. You must use the HTTPS: and not HTTP. The SAS will not accept HTTP requests. All access should use Tls 1.2 or greater.
Sever to Server Communications Only
This API is used for app server to SurePassId server communications only. The API contains sensitive information that you would not expose in a non-secure environment such as a mobile app. Mobile apps invoke requests on the SurePass SurePassID REST proxy interface and the proxy forwards that request to SurePassIdSurePassID. All browser based jquery JavaScript operations will talk to a proxy page on your site, which will in turn communicate with the SAS server. All mobile apps will also talk to a proxy page on your site, which will in turn communicate with the SAS. We have sample code that does all of this for you.
...
Keep you account login info in a safe place and never in plain text. Always obfuscate/encrypt the Login Name and Login Key in your server applications that interface with the SAS.