Developer Documentation

Authentication & Security

Smart feedback for Dutch webshops. Securely connect your store to the FeedBackNL API using industry-standard protocols.

Access API Dashboard Read Documentation

Authentication Methods

Choose the integration path that matches your infrastructure. FeedBackNL supports static API keys for server-to-server calls and OAuth 2.0 for user-facing applications.

Static API Keys

Generate read-only or write-enabled keys directly from your merchant dashboard. Keys are scoped to specific endpoints like `/v1/reviews` or `/v1/customers`. Rotate keys quarterly using the `X-Api-Key` header in every POST request.

OAuth 2.0 Authorization Code

Ideal for multi-tenant apps and Shopify/WooCommerce plugins. Redirect users to `auth.feedbackend.nl/authorize`, capture the code, and exchange it for an access token. Tokens expire after 3600 seconds and require a refresh grant.

Infrastructure

Security Architecture & Scopes

Least privilege is enforced by default. Every token and key must declare exact scopes before the gateway processes the request.

Available scopes include `reviews:read`, `reviews:write`, `customers:export`, and `webhooks:manage`. Attempting to access `admin:settings` without explicit admin consent returns a `403 Forbidden` response. All payloads are encrypted in transit via TLS 1.3, and sensitive PII fields like `email` and `phone` are automatically redacted in server logs. We enforce strict IP allowlisting for production keys, requiring you to whitelist your Vercel, Heroku, or AWS Elastic IPs in the security panel.

Operations

Integration Best Practices

Follow these operational guidelines to maintain compliance and avoid account lockouts.

Key Rotation & Storage

Never commit credentials to public repositories. Store keys in environment variables like `FEEDBACKNL_SECRET` and use automated rotation scripts. Expired keys trigger a `401 Unauthorized` with a `retry-after` header.

Rate Limiting & Backoff

The API enforces a ceiling of 120 requests per minute per merchant ID. Implement exponential backoff starting at 500ms when you encounter `429 Too Many Requests`. Monitor the `X-RateLimit-Remaining` header to adjust polling intervals dynamically.

Webhook Verification

Validate the `X-Webhook-Signature` header using HMAC-SHA256 against your client secret before processing incoming submission events. This prevents spoofed payloads from third-party bots or misconfigured staging servers.

Generate Test Keys Contact Security Team