Use this guide before moving from pilot testing to production automation.
Key handling
- Store
tf_content_keys in a secret manager. - Never commit a key to source control.
- Never log the full key.
- Share only the
keyPrefixwith TutorFlow support. - Use different keys for test and production.
- Revoke unused keys.
- Rotate keys when an owner changes.
Admin session handling
Key and webhook management endpoints use a signed-in TutorFlow admin session. Do not use a Content API key to create other keys.
Payload handling
Send only the source content needed for generation. Do not include unnecessary personal data. Keep stable source ids so results can be reconciled without copying extra private fields.
Copyright confirmation
Before sending source content, confirm the customer owns the content or has the right to process it through TutorFlow.
Retention
Store:
- source content id
- Content Integration job id
- idempotency key
- output manifest
- review status
Avoid storing:
- full
tf_content_keys - webhook signing secrets in logs
- duplicate source payloads without a retention policy
Webhook security
- Verify
X-Content-Integration-Signature. - Reject events with missing or invalid signatures.
- Respond quickly after accepting the event.
- Fetch the result endpoint for full details.
- Handle duplicate events safely.
Production readiness
Before production:
- Create a production key.
- Store the production key in the production secret manager.
- Register production webhook endpoints.
- Run one small production-like payload.
- Confirm support handoff fields are logged without secrets.
- Confirm key rotation can be completed without code changes.