API & Webhook Standards
Authentication — in order of preference
- OAuth 2.0 — most secure for user-facing integrations
- API key stored in environment variable / platform credential store
- Basic auth — only if no better option exists
- Never: hardcoded credentials in workflow logic
Rate Limiting — mandatory
- Every API integration must respect the source system’s rate limits
- Implement exponential backoff on 429 responses: 1s → 2s → 4s → 8s → alert
- For high-volume automations: calculate expected call volume before build and confirm it’s within limits
Webhooks
- Validate webhook signatures where the source provides them (Shopify, Stripe, GitHub, etc.)
- Respond with HTTP 200 immediately — process asynchronously, not inline
- Handle duplicate deliveries gracefully — same event delivered twice must not create duplicate records
Data Handling
- Request the minimum data needed — don’t pull full records when one field is sufficient
- PII (names, emails, phone numbers): don’t log unnecessarily, don’t store beyond what’s required
Testing Standards
No automation is submitted for peer review without passing all test cases.
Minimum Test Coverage — Every Automation
| Test type | What to test |
|---|---|
| Happy path | Full end-to-end with clean expected input → correct output in all destination systems |
| Missing required field | Input missing a required field → graceful error, alert fired, no crash |
| Unexpected data format | Date in wrong format, number as text → handled without crash |
| Duplicate input | Trigger fires twice → no duplicate output |
| System unavailability | Target system returns 500 → retry or graceful failure |
| AI output validation | AI returns unexpected format → fallback behaves as designed |
Test Data
- Use realistic anonymized data — not placeholder strings
- Store all test cases in GitHub
/testsdirectory - n8n: use the built-in testing panel
- Make: use Run Once with test data before activating
Staging vs. Production
- Always build and test in staging/sandbox first
- Never test with live production data without PMO partner approval
- Document which environment each credential connects to in
.env.example