Overview

Follow this before going live and revisit it if your setup changes.

Protect your API key

Your API key is the most sensitive credential in your integration. Treat it like a password.

• Store it in a server-side environment variable or secret manager — never in code
• Never expose it in frontend or client-side code
• Never commit it to source control
• Use separate keys for Test and Production — do not share between environments
• If a key is compromised, rotate it immediately via the Deployment Centre

Verify all webhook requests

Every incoming webhook from Begini includes an X-Signature header containing an HMAC SHA-512 signature of the payload, generated using your API key. You must verify this signature before processing any webhook data. Accepting unverified requests exposes your system to forged or tampered payloads.

See Securing Webhooks (HMAC) for implementation details.

Use HTTPS everywhere

All communication with Begini must use HTTPS — both your API requests and your webhook receiver endpoint. Do not use unsecured HTTP endpoints in any environment.

Separate Test and Production cleanly

Never use Test credentials in Production or vice versa. Keep webhook endpoints, redirect URLs, and API keys fully separate per environment. Mixing environments can result in data corruption and missed events.

Validate incoming data

Do not assume webhook payloads are well-formed. Your receiver should validate the JSON structure, check for required fields, and handle missing or unexpected values gracefully.

Handle errors safely

• Return appropriate HTTP status codes from your webhook receiver
• Do not expose internal error detail in responses
• Log errors securely — never log API keys, UIDs, or raw payloads in plaintext

Limit access

• Restrict who has access to the Beacon dashboard
• Control who can view or manage Integration IDs and API keys in the Deployment Centre
• Review access regularly

Consider IP whitelisting

For additional security, Begini recommends whitelisting Begini platform IPs on your webhook receiver. Contact your account manager for the current IP list.

Pre-launch checklist

Before going live, confirm each of the following:

• API key stored securely server-side, not in code or frontend
• HMAC webhook verification implemented and tested
• Production webhook endpoint configured and reachable over HTTPS
• Production redirect URLs configured in the Deployment Centre
• Test and Production environments fully separated
• Beacon access restricted to appropriate users
• Error handling in place on your webhook receiver

Next steps

• Creating a Session — API session creation reference
• Securing Webhooks (HMAC) — implement webhook signature verification
• Test & Production Environments — keep environments cleanly separated