Best Practices

📘

To qualify for our certification, the following best practices are mandatory. You will be asked about them during the process. Read more here.

1. Securely Manage API Keys: Always store your customer's secret key in a secure location, separate from your codebase. Load the secret at runtime from this secure location. While environment variables can be used, they are generally discouraged for highly sensitive keys due to potential exposure risks.
2. Adhere to Least Privilege for Tokens: Each API request should use a token with the minimum necessary scopes. If different operations require different scopes, generate and manage multiple tokens to adhere strictly to the principle of least privilege.
3. Thoroughly Review Documentation: Before implementing, read all documentation pertinent to the endpoints you plan to use. This ensures you understand expected behaviours, request formats, and response structures.
4. Implement Robust Error Handling: Properly handle 4xx (Client Errors) and 5xx (Server Errors) HTTP status codes. Implement specific logic to address common issues like 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, and 429 Too Many Requests. Provide clear, user-friendly error messages when relaying issues to end-users.
5. Implement Circuit Breakers: For critical integrations, consider implementing a circuit breaker pattern. This prevents your application from repeatedly attempting to call a failing API, allowing the remote service to recover and preventing cascading failures in your own system.
6. Employ Exponential Backoff for Rate Limits: When your application encounters rate limits, implement an exponential backoff strategy. This prevents your application from being blocked and ensures more efficient use of API resources.
7. Prioritise Batch Requests: Whenever possible, prefer batch requests over individual requests. This can significantly reduce the number of API calls and improve the overall efficiency of your integration.