Security
Security​
Core controls​
- TLS-only transport
- Least-privilege keys
- Strict secret rotation and revocation
- Idempotent mutation protections
- Audit logs with correlation IDs
Key rotation guidance​
- Rotate keys at predictable intervals.
- Rotate immediately after personnel or incident changes.
- Validate old-key deactivation with synthetic checks.
Webhook signing guidance​
- Validate signature on raw body before parsing.
- Enforce timestamp tolerance.
- Reject duplicates using event ID cache.
Breaking changes
Security hardening can require stricter validation over time. Monitor changelog entries labeled Breaking changes.