Security checklist

Practical checks for Onboard REST API, webhooks, and MCP integrations before go-live and in production.

Use this checklist alongside Authentication, Webhooks, and MCP setup. For attestations and policies, see Compliance & trust and the Trust Center.

Each Copyable tasks block is Markdown (GitHub-flavored task lists). Use the Copy control on the code block to paste into GitHub, Notion, Linear, or an internal runbook.

API keys and secrets

  • Secret manager — Keep keys in a secret manager or server-side environment; never in mobile or browser code, public repositories, shared screenshots, or client-side config.
  • Separate keys — Use different keys for production and non-production environments.
  • Rotation — Rotate keys after role changes, offboarding, or any suspected exposure.
  • TLS — Call production only over HTTPS (for example https://rest.onboard.io).

Copyable tasks

- [ ] Keys live only in a secret manager or trusted server-side environment.
- [ ] Production and staging use different API keys.
- [ ] Key rotation is scheduled after staffing or security events.

REST API usage

  • Trusted backends — Send Authorization: Token … only from servers you control.
  • Backoff — Apply client-side rate limiting and exponential backoff; treat 429 responses as a signal to slow down.

Copyable tasks

- [ ] No API key is shipped to browsers or mobile clients.
- [ ] HTTP clients implement backoff on `429` and transient `5xx` errors.

Webhooks

  • HTTPS — Expose only HTTPS receiver URLs.
  • Verification — Confirm authenticity (for example HMAC or documented headers in Webhooks) before mutating downstream systems.
  • Fast ACK — Return 2xx quickly and process heavy work asynchronously.

Copyable tasks

- [ ] Webhook URL uses TLS.
- [ ] Every payload is verified before side effects run.
- [ ] Handler returns success only after the event is safely persisted.

MCP (hosted HTTP)

  • Approved tools — Store API keys or tokens only in approved desktop or server tools.
  • Stable URLs — Use the MCP setup URLs; avoid trailing slashes where your client mishandles redirects.
  • Authority — Remember MCP tools can invoke REST operations with the same permissions as the configured API key.

Copyable tasks

- [ ] MCP credentials are limited to vetted clients.
- [ ] Hosted MCP URLs match the documented production paths.

Operations and governance

  • Admin access — Restrict who can create or rotate Admin API keys in Onboard.
  • Logging — Do not log full API keys in application logs, support tickets, or APM tools.

Copyable tasks

- [ ] Only named admins can issue or revoke integration keys.
- [ ] Log scrubbing rules exclude secrets and tokens.

Help

For security questions, vendor reviews, or incident reporting:

[email protected]

How is this guide?

Compliance & trust

Onboard security posture, SOC 2 Type 2, and where to find policies and attestations.

On this page

API keys and secretsCopyable tasksREST API usageCopyable tasksWebhooksCopyable tasksMCP (hosted HTTP)Copyable tasksOperations and governanceCopyable tasksHelp