Use this checklist before going live.

Credential handling

  • Store bearer tokens and API keys in server-side secret manager.
  • Never expose credentials in browser-side JavaScript.
  • Rotate credentials on schedule and immediately after suspected leaks.
  • Use separate credentials for staging and production.

Transport security

  • Use HTTPS for all requests.
  • Enforce modern TLS at your edge.
  • Avoid logging full authorization headers.

Request integrity

  • Validate all IDs and enums before sending requests.
  • Implement idempotency strategy in your integration layer for retries.
  • Add bounded exponential backoff for 429 and 5xx responses.

Webhook security

  • Verify webhook signatures on every delivery.
  • Reject stale or malformed webhook payloads.
  • Deduplicate events by stable IDs.
  • Return fast acknowledgement and process asynchronously.

Access control

  • Prefer least-privilege API keys.
  • Segment access by organization/workspace boundaries.
  • Audit credential usage and remove unused keys.
Do not hardcode API keys in mobile apps, frontend bundles, or public repositories.