Developer Infrastructure

Authentication – API Keys & OAuth

Real-time customer feedback for German webshops

Generate Credentials View Integration Guides

Managing API Access Keys

Generate and rotate scoped credentials to control read/write permissions across your Shopify, WooCommerce, and custom storefronts.

FeedBackPro issues HMAC-SHA256 signed keys with granular scope limits. Each key is bound to a specific environment (sandbox or production) and expires after 90 days by default. Navigate to Settings > Integrations > API Access to create a new credential pair. Use the `X-FeedbackPro-Signature` header for request validation, and implement automated rotation via our webhook endpoint at `https://api.feedbackpro.de/v2/keys/rotate`.

Read-Only Keys

Permitted for analytics dashboards and BI tools like Tableau or Metabase. Grants access to `/v2/responses` and `/v2/surveys` endpoints without write capabilities.

Write & Admin Keys

Required for programmatic survey deployment and customer data sync. Includes access to `/v2/webhooks`, `/v2/export`, and configuration endpoints. Enforces IP allowlisting.

Key Rotation Workflow

Generate a successor key before decommissioning the active one. FeedBackPro maintains a 7-day overlap window to prevent integration downtime during CI/CD pipeline updates.

OAuth 2.0 Authorization Flow

Implement secure third-party integrations using our standardized PKCE-enhanced OAuth 2.0 implementation.

When building apps for the FeedBackPro marketplace or connecting to external CRMs like HubSpot, Salesforce, or Pipedrive, OAuth 2.0 eliminates the need to share raw credentials. Our authorization server sits at `https://auth.feedbackpro.de/oauth2`. The flow supports authorization code, client credentials, and refresh token grant types. All tokens are JWT-formatted, signed with RS256, and valid for 1 hour. Refresh tokens persist for 30 days and require re-authentication upon expiration.

Step 1: Client Registration

Register your application in the developer portal to receive a `client_id` and `client_secret`. Define redirect URIs matching your app's callback domain (e.g., `https://app.yourdomain.com/callback`).

Step 2: Authorization Request

Redirect merchants to our consent screen with requested scopes (`feedback.read`, `feedback.write`, `webhooks.manage`). FeedBackPro displays a transparent permission summary before granting access.

Step 3: Token Exchange

Exchange the authorization code for an access token via a POST request to `/oauth/token`. Include your `client_secret` and PKCE code verifier to prevent interception attacks.

Security & Compliance Standards

Follow these operational guidelines to maintain SOC 2 Type II compliance and protect merchant data pipelines.

FeedBackPro enforces TLS 1.3 for all API endpoints and automatically rejects HTTP/1.0 requests. Rate limiting is applied at 1,200 requests per minute per key, with exponential backoff headers included in 429 responses. All PII transmitted through our webhook delivery system is encrypted at rest using AES-256-GCM. Audit logs for authentication events are retained for 365 days and accessible via the compliance dashboard.

Scope Minimization

Request only the permissions your integration requires. Over-scoped tokens trigger automated security alerts in the merchant's admin panel and may require manual approval.

Secure Storage

Never hardcode credentials in client-side JavaScript or commit them to version control. Use environment variables, AWS Secrets Manager, or HashiCorp Vault for runtime injection.

Monitoring & Alerts

Enable webhook notifications for authentication failures and unusual geographic request patterns. FeedBackPro's threat detection system automatically suspends keys exhibiting brute-force signatures.