API Integration Service Review and Certification

To secure logic confining to WISEflow principles

Why do a Review?

This article outlines a series of rules and questions that an institution using the API to integrate with WISEflow must follow. This ensures the integration has the proper foundation and follows the best practice guidelines. To better support you in the future, we also wish to document use cases and general logic used in the integration.

What Happens?
  • Before development starts, a UNIwise Technical Consultant will meet with the customer to discuss the integration project. Review questions will be shared and discussed before development begins. Please see the below questions.
  • Before going live, the integration must be reviewed and certified by a UNIwise engineer.
  • A session will be conducted with a UNIwise Technical Consultant and one or more members of your integration team.
  • You might be asked to display and go through the integration code during the review meeting.
Review Questions

WISEflow Specific

  • Describe your use cases; what are you trying to achieve with the API?
  • Describe how you intend to develop and support your use cases
  • Have you set up proper channels for contacting UNIwise support?
    • Both a technical and a licence administrator?
  • Have you subscribed to the WISEflow status site?

Requests

  • Do you use batch operations where available?
  • Do you use webhooks to monitor changes instead of polling?

Error Handling

  • Make sure that your integration can handle common HTTP status codes:
    • 2xx
    • 4xx
      • Where the most important ones are 401 - unauthorised, 429 – Too many requests
  • 5xx

Request Monitoring

  • How do you monitor requests?
  • How are these requests logged?
  • What requests data are you logging?

Rate Limit

  • How do you handle the rate limit?

Testing

  • Have you thoroughly tested the API on the WISEflow stage environment?

Webhooks

  • Are you using webhooks?
  • Are you answering with a 200 when received?
  • Do you verify the request body against the signature header?
    • HMAC256 signature
  • How do you handle not receiving webhook calls if WISEflow/webhook service is unavailable?

Security

  • Are you storing your API keys securely?
    • It is highly recommended that a 0Auth client be used.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section