JobsiteOn

API Security Best Practices

Best practices for securing your JobsiteOn API keys, authenticating requests, and protecting your integration endpoints.

Maya Thompson
Written by Maya ThompsonUpdated 2 days ago3 min readAdvanced

What this guide covers

This guide provides security best practices for using the JobsiteOn API and webhooks. Following these practices protects your data and reduces the risk of unauthorized access through your integrations.

API key security

Store keys securely

  • Use environment variables, not hardcoded strings.
  • Never commit API keys to version control.
  • Never expose keys in client-side code (browser JavaScript).
  • Use a secrets manager for production environments.

Use least-privilege permissions

When generating an API key, grant only the permissions the integration needs. If an integration only reads contacts, do not grant write access to invoices.

Screenshot: The API key generation dialog showing granular permission checkboxes, with only the minimum needed permissions checked.

Rotate keys regularly

  • Rotate API keys every 90 days.
  • When an employee with key access leaves, rotate immediately.
  • Generate the new key before revoking the old one to avoid downtime.

Request authentication

Always use HTTPS

All API requests must use HTTPS. HTTP requests are rejected. This ensures your API key and data are encrypted in transit.

Validate responses

Always check the HTTP status code and response body before processing. Do not assume a request succeeded.

Webhook security

Verify signatures

Every webhook request includes an X-Signature header. Verify this HMAC signature using your API key to confirm the request is authentic.

Animation: A code snippet showing the webhook signature verification process: extract the header, compute HMAC, and compare.

Use HTTPS endpoints

Only use HTTPS URLs for your webhook endpoints. Webhook payloads contain sensitive data that must be encrypted in transit.

Respond quickly

Return a 200 status within 5 seconds. Process the payload asynchronously if needed. Slow responses cause retries and potential duplicate processing.

Rate limiting

  • API: 100 requests per minute per key.
  • Implement exponential backoff when you receive 429 responses.
  • Cache responses when possible to reduce API calls.

IP allowlisting

If your infrastructure supports it, restrict API key usage to specific IP addresses. Contact support@jobsiteon.com to configure IP allowlisting for your workspace.

Tip: Treat API keys with the same care as passwords. A compromised key grants the same access as a signed-in user with the key's permissions.

Note: If you suspect an API key has been compromised, revoke it immediately from /settings > Integrations > API Keys and generate a new one.

Did this answer your question?

Related Articles