API security, rate limits, idempotency, and support

Production integrations should enforce strict credential handling, predictable retry rules, and idempotent client behavior where supported.

Security and access controls

• Store credentials securely and rotate on incident or ownership changes.
• Use least-privilege scopes/roles for integration identities.
• Log request identifiers and error codes for traceable support escalation.

Rate-limit and idempotency guidance

• Handle 429 responses with controlled retry delay and backoff.
• Use idempotency keys where API workflows support them (for example chat send-message flows).
• Treat duplicate-submission risk explicitly in client design for order/payment-adjacent actions.

Technical support expectations

• Share endpoint, request ID, timestamp, and sanitized payload when reporting issues.
• Include environment, expected behavior, and observed behavior in every ticket.

Good observability and deterministic retry behavior are the fastest path to stable integrations.