Resources
Content Integration Security

Content Integration Security

Handle Content API keys, source payloads, logs, webhooks, and production access safely.

Use this guide before moving from pilot testing to production automation.

Key handling

  • Store tf_content_ keys in a secret manager.
  • Never commit a key to source control.
  • Never log the full key.
  • Share only the keyPrefix with TutorFlow support.
  • Use different keys for test and production.
  • Revoke unused keys.
  • Rotate keys when an owner changes.

Admin session handling

Key and webhook management endpoints use a signed-in TutorFlow admin session. Do not use a Content API key to create other keys.

Payload handling

Send only the source content needed for generation. Do not include unnecessary personal data. Keep stable source ids so results can be reconciled without copying extra private fields.

Before sending source content, confirm the customer owns the content or has the right to process it through TutorFlow.

Retention

Store:

  • source content id
  • Content Integration job id
  • idempotency key
  • output manifest
  • review status

Avoid storing:

  • full tf_content_ keys
  • webhook signing secrets in logs
  • duplicate source payloads without a retention policy

Webhook security

  • Verify X-Content-Integration-Signature.
  • Reject events with missing or invalid signatures.
  • Respond quickly after accepting the event.
  • Fetch the result endpoint for full details.
  • Handle duplicate events safely.

Production readiness

Before production:

  1. Create a production key.
  2. Store the production key in the production secret manager.
  3. Register production webhook endpoints.
  4. Run one small production-like payload.
  5. Confirm support handoff fields are logged without secrets.
  6. Confirm key rotation can be completed without code changes.