Workspace access
Team members sign in before they can manage sources, destinations, alerts, Dispatch apps, or API keys. Remove workspace members when access should end.
- Use team access for people who need to operate the dashboard.
- Use API keys for backend services.
- Use portal sessions for your customers' endpoint settings. Do not give customers workspace access.
Signatures and secrets
Add vendor signing secrets to verify incoming events when the vendor supports signatures. For Dispatch endpoints, rotate endpoint secrets from the dashboard or customer portal.
- Copy vendor signing secrets directly from the vendor dashboard.
- Rotate a source token when the ingest URL may have been exposed.
- Rotate endpoint signing secrets after customer employee turnover or suspected leakage.
- Keep API keys server-side and revoke keys that are no longer used.
Payload handling
Payloads are used for delivery, replay, metrics, and anomaly detection. They are not used for model training.
Only show payloads to team members who need to debug the event. If a payload contains sensitive customer data, treat event detail pages and exported logs with the same care as your application logs.
API keys
Create API keys for backend services only. Revoke keys from the Dispatch dashboard when rotating credentials or removing an integration.
- Use one key per service or environment so rotation has a clear owner.
- Prefer narrow scopes for automation that only creates portal sessions or only sends messages.
- Store keys in your secret manager. Do not embed them in customer-facing pages.
Portal sessions
Portal sessions are short-lived links for one recipient. Create a fresh session when a customer opens webhook settings, and avoid storing portal URLs after the browser session ends.