XWMS Docs xwms.nl
On this page Credentials Domains Scopes Logging

XWMS API Security Checklist

Keep XWMS API integrations secure.

API Security Checklist

Use this checklist before going live.

Credentials

  • Keep client secrets server-side.
  • Never place secrets in frontend JavaScript.
  • Rotate secrets when a team member or vendor no longer needs access.
  • Use environment variables for production credentials.

Domains

  • Verify the production domain.
  • Remove old staging domains when no longer needed.
  • Keep test and live environments separate.

Scopes

  • Request only needed scopes.
  • Explain to users why access is needed.
  • Handle revoked access gracefully.

Logging

  • Do not log tokens or secrets.
  • Redact personal data that is not needed for support.
  • Keep API error handling predictable.