Use this checklist to make sure your integration is secure, reliable, and ready for production.
Security
- Never expose secrets in client-side code — Keep API credentials, webhook signing secrets, and other secrets on your backend only.
- Use HTTPS everywhere — Use HTTPS for API requests, redirect URLs, and webhook endpoints.
- Store tokens and sensitive data securely — Protect access tokens, refresh tokens, customer data, and webhook signing secrets at rest.
- Restrict access to signed documents — Only authorized users and systems should be able to view or download documents.
Webhooks
- Verify webhook signatures — Validate the
X-Formify-Signatureheader using your webhook signing secret and the raw request body. - Use the raw request body for verification — Do not verify against a re-serialized JSON payload.
- Check that the timestamp is recent — Validate
X-Formify-Timestampto reduce replay attacks. - Make webhook handling idempotent — Store processed
eventIdvalues and safely ignore duplicates. - Do not assume event ordering — Events may arrive late, more than once, or out of order.
- Return a 2xx response quickly — Acknowledge the webhook promptly and process longer tasks asynchronously if needed.
Reliability
- Handle expected HTTP errors — At minimum, handle 400, 401, 403, 404, 429, and 5xx responses.
- Use retries with backoff where appropriate — Retry temporary failures carefully instead of failing immediately.
- Handle rate limiting — If the API rate limits requests, slow down and retry later.
- Log safely — Log request outcomes and webhook processing, but never log secrets or sensitive personal data.
Before launch
- Test the full integration end-to-end — Verify the main production flow from API request to completed signing result.
- Test webhook signature verification — Confirm that valid webhook signatures are accepted and invalid ones are rejected.
- Test failure scenarios — Check behavior for expired tokens, invalid input, network failures, retries, and duplicate webhook deliveries.
- Verify production configuration — Confirm that production credentials, webhook endpoints, secrets, URLs, and environment settings are correct.
- Monitor critical failures — Set up alerts for repeated API failures or webhook delivery problems.
Note: Webhooks can be delivered more than once, so duplicate-safe processing is required.
Use HMAC signature verification for all webhook endpoints in production.
If you need help before launch, contact api@formify.eu.