Utilising the sandbox environment for API development requires the First AML team to configure a number of details. When you are ready to begin testing your integration, reach out to First AML support with the following details:
- Emails of users to be provisioned as users within the sandbox environment and roles for those users (these will be used for manual testing).
- API clients you need provisioned, and what scopes are required for each client (include the
api-managementscope if you wish to manage webhooks via the API).
Once you have completed the development of your integration and tested it against the sandbox environment, you can deploy it to the production environment.
To do this the First AML support team will need the following information for your production environment.
- API clients you need provisioned, and what scopes are required for each client (include the
api-managementscope if you wish to manage webhooks via the API).
Once your API client is provisioned with the api-management scope, you can manage your webhook subscriptions directly through the API. See the Webhooks documentation for details.
API client details for production environments will be shared via a secure method, and the API client secret must be stored securely.
Prior to go-live your API integration in Sandbox will undergo review by the First AML Team.
Sandbox Review
Prior to issuing production credentials First AML will review the behaviour of your integration against the Public API to ensure it is behaving in line with expectations - we specifically will be looking to ensure:
- The integration is respecting throttling limits, and applying concepts like exponential back-off before re-attempting requests.
- Caching access tokens appropriately and not continuing request new access tokens when the last one has yet to expire.
- All requests include a
User-Agentheader (requests without one will be blocked with a403 Forbiddenresponse). - Is not attempting to access resources it’s not authorised to do so (based on scopes selected)
- Is not over-selecting data for your specific use case.
- We may also ask questions to ensure the Client Key and Secret is being adequately protected e.g.
- API Credentials are not stored in plain-text configuration files.
- API Credentials are not checked into source code.
- API Credentials are stored encrypted at rest.
- Access tokens are stored encrypted at rest (unless cached in-memory only).
- API credentials and access token are only stored and utilised server-side and are not exposed to any client-side technology which would allow an end-user of the integration to gain the access token for the purposes of making their own requests.
The data held within First AML is incredibly sensitive and we take the security of our customers and end users data very seriously, so we apologise in advance for any inconvenience this review process may cause, but we do it to ensure we can fiercely guard this sensitive data.
