API security checklist

Review every trust boundary before production traffic

A secure proxy path needs more than one rate limit. Use this checklist to review caller authentication, tenant scope, approved destinations, credential separation, bounded resource use, privacy-safe evidence, and operational recovery.

Practical reviewFail-closed boundariesNo compliance claims

Practical boundaries

Seven controls to verify together

Authenticate the caller

Use a verified, revocable workspace key and keep its raw value out of logs, tickets, screenshots, and browser storage.

Derive tenant scope

Resolve the active workspace server-side and include its identifier in every protected object query or mutation.

Approve the destination

Prefer exact public hosts; use explicit one-level wildcards only when the integration genuinely requires them.

Separate credentials

Never forward a ThrottleProxy key, cookie, proxy authorization value, or forwarding credential to an upstream provider.

Bound resource use

Cap queue depth, concurrency, request bytes, response bytes, idle time, and absolute upstream duration.

Sanitize evidence

Preserve safe stage, status, timing, host, and path context while redacting credentials, query values, bodies, and unsafe errors.

Prepare recovery

Document revocation, role review, incident escalation, migration order, smoke checks, and rollback before launch.

Good fit

  • Teams reviewing one narrowly scoped public API integration.
  • Security and platform owners preparing a production-readiness review.
  • Developers who need a concrete checklist before issuing live keys.

Not a replacement for

  • A compliance certification or substitute for an independent security assessment.
  • A guarantee that an application or upstream provider has no vulnerabilities.
  • A replacement for edge DDoS controls, endpoint security, or provider-side authorization.

Common questions

Does completing this checklist certify an integration?

No. It is an operational review aid, not a certification, warranty, or external audit.

Should provider credentials use the ThrottleProxy key field?

No. Proxy authentication and provider authentication are separate trust boundaries.

What should a support case contain?

Use sanitized stages, status categories, approximate timestamps, and safe correlation context—never credentials or raw request bodies.

Start with one narrow integration

Use one workspace key, one exact public host, and non-sensitive test traffic.

Open quick start