Skip to content
E1 Developer

Security

TLS

All traffic to the External API and the OAuth2 token endpoint is served over HTTPS. The API does not accept plaintext HTTP requests.

Credential handling

Your client_secret is a long-lived shared secret. It must be treated like a password.

  • Store it in a secret manager (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, etc.), or at minimum an environment variable — never in source control.
  • Scope access to the secret to the services that need it. Do not expose it to browser clients or mobile apps.
  • Rotate on any suspected compromise, on staff changes that affect who has access, and routinely as a matter of good hygiene. See Authentication — Secret rotation.

Tokens

Bearer tokens are short-lived (1 hour) and should be cached in memory only. Do not persist them to disk.

Tokens must be sent only over the HTTPS connection to the External API. They should not be logged, exposed in URLs, or forwarded to third parties.

IP allow-listing

The API does not currently support IP allow-listing for partner traffic. If your organisation requires it, let us know during onboarding so we can assess feasibility.

Reporting a security issue

If you believe you’ve discovered a security issue in the External API, please report it privately — do not open a public GitHub issue or post to a public channel.

Email reports to security@estimateone.com with the subject line “External API — security report”. Response handling and any service-level commitments are governed by your partnership agreement, not these docs.