Skip to main content

Developers: API Security

Audience: Developer, Security, Platform Engineering

Controls Implemented In This System

  • TLS expected at edge/proxy for all external traffic.
  • Public API auth middleware enforces token presence on /api/public/v1/*.
  • Scope checks are method-aware (GET requires read, writes require write).
  • test/live mode mismatch is rejected.
  • API keys, OAuth client secrets, OAuth tokens, and webhook secrets are hashed at rest.
  • Secret values are one-time reveal on create/rotate flows.
  • OAuth redirect URIs are allow-listed and validated.
  • OAuth supports PKCE challenge + verifier.
  • Integration lifecycle actions are written to audit logs.

Credential Hygiene

  • Keep ck/sk in server secret storage only.
  • Never expose secret/system keys in frontend bundles.
  • Use publishable keys only for read-safe browser use.
  • Rotate keys on incident and on schedule.

Webhook Security Baseline

  • Verify signatures using webhook signing secret.
  • Reject stale timestamps (replay window).
  • Process idempotently by event identity.
  • Return 2xx only after durable persistence.
  • Per-key IP allow-lists.
  • mTLS for enterprise/private integrations.
  • Step-up auth for key rotation/deletion actions.
  • Request-level anomaly detection and alerting.
  • Signed audit export pipeline.