Overview

Security in Begini integrations is not a single feature — it is a combination of practices across authentication, data handling, infrastructure and operations.

This guide outlines the key principles you should follow to ensure your integration remains secure, stable and compliant.

---

Protect your API keys

Your API key is the most sensitive credential in your integration.

You should:

• Store API keys in secure server-side environments
• Use environment variables or secret managers
• Restrict access to authorised systems only

You should never:

• Expose API keys in frontend applications
• Commit API keys to source control
• Share API keys across teams without control

---

Always verify webhook signatures

Every webhook request must be validated using HMAC verification.

This ensures:

• The request is genuinely from Begini
• The payload has not been altered

Never process webhook data without verifying the X-Signature.

---

Use secure communication

All communication with Begini must use HTTPS.

This applies to:

• API requests
• Webhook endpoints

Unsecured endpoints (HTTP) should never be used.

---

Separate environments properly

You should always maintain a clear separation between:

• Sandbox (testing)
• Production (live)

This includes:

• Separate API keys
• Separate webhook endpoints
• Separate data handling

Mixing environments can lead to data corruption and operational issues.

---

Validate all incoming data

Your system should never assume that incoming data is valid.

You should:

• Validate JSON payload structure
• Check required fields
• Handle missing or unexpected values

This protects your system from errors and malformed requests.

---

Handle errors safely

Error handling should be controlled and secure.

You should:

• Avoid exposing sensitive information in error responses
• Log errors securely
• Return appropriate HTTP status codes

This ensures both security and system stability.

---

Limit access and permissions

Access to Begini systems and integrations should be restricted.

You should:

• Control who can access the Beacon dashboard
• Limit who can manage integrations and deployments
• Regularly review access permissions

---

Avoid sensitive data exposure

You should ensure that sensitive information is not exposed in:

• Logs
• Debug output
• Monitoring tools

This includes:

• API keys
• User identifiers
• Payload data

---

Monitor and audit activity

Ongoing monitoring is essential for maintaining security.

You should:

• Track webhook failures
• Monitor API usage
• Audit access to integrations

This helps detect issues early and maintain reliability.

---

Design for resilience

Your integration should be built to handle:

• Duplicate webhook events
• Delayed or retried requests
• Partial failures

This ensures consistent and reliable behaviour in production.

---

Common risks to avoid

• Skipping webhook verification
• Using production keys in test environments
• Logging sensitive data
• Hardcoding credentials
• Granting excessive access

---

Recommended security checklist

Before going live, ensure:

• API keys are securely stored
• Webhook signatures are validated
• HTTPS is enforced
• Environments are separated