Developers: API Security

Audience: Developers and integration teams

Use this guide to keep public eshopOS integrations safe. It covers integration responsibilities and safe credential handling.

Public Integration Rules

• Use documented public API routes only.
• Keep secret and system credentials in trusted server-side storage.
• Use publishable credentials only where browser or mobile exposure is intended.
• Keep test and live credentials separate.
• Rotate credentials when a key is exposed, shared with the wrong party, or no longer needed.
• Use the least privilege credential that can complete the job.

Webhook Security Baseline

• Verify X-EshopOS-Signature using the webhook signing secret and raw request body.
• Reject stale timestamps.
• Process idempotently by event identity.
• Return 2xx only after your system has safely accepted the event.

Recommended Integration Hardening

• Store credentials in a secret manager.
• Avoid logging request headers or secret-bearing payloads.
• Use backoff for retries.
• Restrict who can create, rotate, or delete credentials.
• Monitor failed webhook deliveries and repeated auth failures.
• Re-test integrations before switching live mode on.