Skip to main content
Version: v1.0

Security

Security guidelines for the integration between your CRM and Spot2 Ingestion.


Channels

The integration uses two channels:

  1. Pull: we query your API to fetch properties.
  2. Webhook (optional): you receive notifications from us about results.

Each channel has its own authentication mechanism.


Pull (authenticating our queries to your API)

Supported methods

MethodImplementation
API KeyHeader x-api-key. You provide us a key and we send it with every request.
Bearer TokenHeader Authorization: Bearer <token>.
Custom headerAny header name and value you define.

Recommendations

  • Dedicated key: create a key exclusively for Spot2. Don't reuse keys from other integrations.
  • Least privilege: read-only scope over the properties endpoint. No write permissions or access to other resources needed.
  • No auto-expiry: the key must not expire over time. If you need to rotate it, coordinate a transition window.
  • Per-key rate limiting: if your API has rate limits, configure them per key (not globally) so other integrations don't affect us.

Webhook (authenticating our notifications to your endpoint)

HMAC-SHA256

Every webhook we send includes an HMAC-SHA256 signature so you can verify authenticity and integrity.

Header:

X-Signature: sha256=<hash>

Algorithm:

  1. Input: the raw request body (bytes, unparsed).
  2. Key: the shared secret (feedback_secret).
  3. Function: HMAC-SHA256.
  4. Output: hex hash, prefixed with sha256=.

Verification (conceptual steps):

  1. Extract the value from the X-Signature header.
  2. Compute HMAC-SHA256 of the raw body using your secret.
  3. Format the hash as sha256=<hex>.
  4. Compare both strings using constant-time comparison (timing-safe).
  5. If they match: process the webhook. If not: respond 401 and discard.

Secret rotation

Procedure to rotate the feedback_secret without downtime:

  1. Notify us in advance.
  2. We configure both secrets (old and new) on our side.
  3. During the transition window (typically 24 hours), we send webhooks signed with either secret.
  4. Your endpoint must accept either one during that period.
  5. After the window ends, we remove the old secret and use only the new one.

Transport

  • TLS: minimum 1.2. Preferably 1.3.
  • HTTPS: required for both channels (pull and webhook).
  • Certificates: must be valid, not expired, issued by a recognized CA.

Rate limits

By default, we make a maximum of 60 requests per minute to your API.