Security
Security guidelines for the integration between your CRM and Spot2 Ingestion.
Channels
The integration uses two channels:
- Pull: we query your API to fetch properties.
- Webhook (optional): you receive notifications from us about results.
Each channel has its own authentication mechanism.
Pull (authenticating our queries to your API)
Supported methods
| Method | Implementation |
|---|---|
| API Key | Header x-api-key. You provide us a key and we send it with every request. |
| Bearer Token | Header Authorization: Bearer <token>. |
| Custom header | Any header name and value you define. |
Recommendations
- Dedicated key: create a key exclusively for Spot2. Don't reuse keys from other integrations.
- Least privilege: read-only scope over the properties endpoint. No write permissions or access to other resources needed.
- No auto-expiry: the key must not expire over time. If you need to rotate it, coordinate a transition window.
- Per-key rate limiting: if your API has rate limits, configure them per key (not globally) so other integrations don't affect us.
Webhook (authenticating our notifications to your endpoint)
HMAC-SHA256
Every webhook we send includes an HMAC-SHA256 signature so you can verify authenticity and integrity.
Header:
X-Signature: sha256=<hash>
Algorithm:
- Input: the raw request body (bytes, unparsed).
- Key: the shared secret (
feedback_secret). - Function: HMAC-SHA256.
- Output: hex hash, prefixed with
sha256=.
Verification (conceptual steps):
- Extract the value from the
X-Signatureheader. - Compute HMAC-SHA256 of the raw body using your secret.
- Format the hash as
sha256=<hex>. - Compare both strings using constant-time comparison (timing-safe).
- If they match: process the webhook. If not: respond 401 and discard.
Secret rotation
Procedure to rotate the feedback_secret without downtime:
- Notify us in advance.
- We configure both secrets (old and new) on our side.
- During the transition window (typically 24 hours), we send webhooks signed with either secret.
- Your endpoint must accept either one during that period.
- After the window ends, we remove the old secret and use only the new one.
Transport
- TLS: minimum 1.2. Preferably 1.3.
- HTTPS: required for both channels (pull and webhook).
- Certificates: must be valid, not expired, issued by a recognized CA.
Rate limits
By default, we make a maximum of 60 requests per minute to your API.