Security Best Practices
Recommendations for keeping your Anchor CRM integration — and your customer data — safe.
Credentials
- One key per integration. Separate keys mean a leak is contained and revocation is surgical.
- Least privilege. Grant only the scopes the integration uses. Reserve
*for short-lived internal tooling, and prefer explicit scopes even then (see Scopes). - Set an expiry. Keys with
expiresInDaysfail closed if rotation is forgotten. - Use the IP allowlist when your integration calls from fixed egress IPs.
- Rotate regularly and immediately on suspicion of exposure. Rotation issues a new secret without reconfiguring scopes.
In your application
- Keep keys in a secret manager or environment variables — never in source control, browser code, or logs.
- Make API calls from your backend. A key embedded in a client app is public.
- Handle
401/403distinctly: a 401 means the key is invalid or expired; a 403 names the missing scope. - Treat record IDs as opaque strings — do not parse or enumerate them.
Data handling
- Store only what your integration needs. CRM records contain personal data — minimize copies, and honor deletions by re-syncing rather than caching indefinitely.
- All records are scoped to your organization server-side; a 404 on a valid-looking ID usually means the record belongs to another organization or was deleted.
Account security
- Limit admin roles — only admins can mint API keys.
- Review the key list at
/settings/api-keysperiodically and revoke anything unused. - Use the activity feed to audit unexpected changes.
Reporting vulnerabilities
Found a security issue? Email support@stratalace.com with details. Please do not test against organizations you do not own.