Integration architecture
Server‑to‑Server, Front‑Hosted, or Hybrid
The Three Archetypes
| Model | Where requests originate | Typical auth method | Best for |
|---|---|---|---|
| Server‑to‑Server (S2S) | Partner backend → Wirex Pay API | Partner JWT | Banks, payroll platforms, compliance‑heavy apps |
| Front‑Hosted (Client‑Direct) | Mobile/Web client → Wirex Pay API | Wirex Pay Token (short‑lived) | Crypto wallets, DeFi or NFT apps |
| Hybrid | Client handles low‑risk calls; backend handles privileged calls | Mixed (Token + JWT) | Super‑apps, gaming platforms, rapid MVPs |
Deep Dive per Model
| Aspect | Server‑to‑Server (S2S) | Front‑Hosted (Client‑Direct) | Hybrid |
|---|---|---|---|
| Flow | Client → Partner Backend → Wirex Pay API | Client → Wirex Pay API | Client (reads) + Backend (writes) |
| Pros | Centralised logging, enforceable business rules, API key protection | Lowest latency, minimal backend, works offline | Balanced UX and control, offloads backend for reads |
| Cons | Higher latency, backend scaling needed, more real‑time sync logic | Client-side token risk, non‑privileged access only, fragmented logging | Complex auth lifecycle, token & JWT coordination |
| When to Choose | You have a PCI‑compliant backend or require centralised AML/KYC logic | You serve crypto‑native users or need wallet UI responsiveness | You’re building a super‑app, staging rollout, or minimizing backend load |
Security & Compliance Considerations
| Concern | S2S | Front‑Hosted | Hybrid |
|---|---|---|---|
| API credentials exposure | Low (kept server‑side) | Medium (token in client) | Low‑medium |
| KYC data handling | Centralised | Decentralised | Mixed |
| Rate‑limiting control | High | Medium | High |
| PCI/PSD2 alignment | Straightforward | Needs token scoping | Depends on split |
Decision Matrix
Answer these questions to score each model:
- Where does KYC data already live?
- Do you need millisecond balance refresh in‑app?
- Can you safely secure short‑lived tokens on the client?
- Is your backend PCI‑ready?_
Implementation Tips
- Token cache: Front‑hosted and hybrid models should cache Wirex Pay Tokens for up to 5 minutes to avoid auth spam.
- Webhook proxy: In S2S, route webhooks to an internal bus (Kafka, SNS) for decoupled processing.
Updated 7 months ago