Documentation
Sign In

Security Best Practices

Recommendations for keeping your Anchor CRM integration — and your customer data — safe.

Credentials

  • One key per integration. Separate keys mean a leak is contained and revocation is surgical.
  • Least privilege. Grant only the scopes the integration uses. Reserve * for short-lived internal tooling, and prefer explicit scopes even then (see Scopes).
  • Set an expiry. Keys with expiresInDays fail closed if rotation is forgotten.
  • Use the IP allowlist when your integration calls from fixed egress IPs.
  • Rotate regularly and immediately on suspicion of exposure. Rotation issues a new secret without reconfiguring scopes.

In your application

  • Keep keys in a secret manager or environment variables — never in source control, browser code, or logs.
  • Make API calls from your backend. A key embedded in a client app is public.
  • Handle 401/403 distinctly: a 401 means the key is invalid or expired; a 403 names the missing scope.
  • Treat record IDs as opaque strings — do not parse or enumerate them.

Data handling

  • Store only what your integration needs. CRM records contain personal data — minimize copies, and honor deletions by re-syncing rather than caching indefinitely.
  • All records are scoped to your organization server-side; a 404 on a valid-looking ID usually means the record belongs to another organization or was deleted.

Account security

  • Limit admin roles — only admins can mint API keys.
  • Review the key list at /settings/api-keys periodically and revoke anything unused.
  • Use the activity feed to audit unexpected changes.

Reporting vulnerabilities

Found a security issue? Email support@stratalace.com with details. Please do not test against organizations you do not own.