Integration Readiness Checklist
Overview¶
This checklist helps fork owners verify that all integration infrastructure is in place before exposing APIs to external consumers. Each item links to the relevant documentation.
The same checklist is available in condensed form in the SpeedPy README.
API Schema & Documentation¶
| Item | Status | What to verify |
|---|---|---|
OpenAPI schema at /api/schema/ |
Ready | Returns valid OpenAPI 3.0 JSON/YAML |
Swagger UI at /api/docs/ |
Ready | Interactive docs load and list your endpoints |
ReDoc at /api/redoc/ |
Ready | Alternative docs render correctly |
Integration manifest at /.well-known/speedpy.json |
Ready | Machine-readable JSON with schema URLs, auth methods, scopes, and capabilities |
Fork owner action: Add your custom endpoints. They appear automatically in the schema via drf-spectacular. Set API_DOCS_PUBLIC=True if docs should be public in production.
See: API
Authentication¶
| Item | Status | What to verify |
|---|---|---|
| Session auth (browser) | Ready | Login via allauth, CSRF on writes |
JWT (POST /api/auth/token/) |
Ready | Access + refresh tokens, MFA gate, verified-email gate |
| Personal access tokens (PATs) | Ready | spd_-prefixed, hashed at rest, scoped, optional expiry |
| OAuth2 Authorization Code + PKCE | Ready | Third-party apps, ChatGPT Actions, automation platforms |
| OAuth2 Device Code | Ready | MCP servers, CLIs |
| Dynamic Client Registration (RFC 7591) | Ready | Optional — enabled by default in dev, disabled in prod |
Fork owner action: Register OAuth2 applications for your integrations (Django admin or create_oauth2_app command). Set redirect URIs for your deployment domain.
See: Authentication, Integrations
Scopes & Permissions¶
| Item | Status | What to verify |
|---|---|---|
Built-in scopes (read:profile, write:profile, read:teams, write:teams, read:products, read:webhooks, write:webhooks, read:jobs, write:jobs, admin) |
Ready | PAT form and OAuth consent show all scopes |
| Custom scope registration | Ready | Add to OAUTH2_PROVIDER["SCOPES"] in settings |
| Scope enforcement on views | Ready | HasScope permission class with required_scopes |
Fork owner action: Register custom scopes for your domain resources (e.g. read:invoices, write:invoices). Set required_scopes on your API views.
See: Integrations — Available scopes, Integrations — Registering custom scopes
Teams & Multi-Tenancy¶
| Item | Status | What to verify |
|---|---|---|
| Team model with roles (owner, admin, member) | Ready | Teams API and admin work |
| Team membership and invitations | Ready | Invitation flow and API endpoints respond |
| Team-scoped API resources | Ready | TeamModel base class for tenant isolation |
Fork owner action: Inherit your domain models from TeamModel for automatic tenant scoping. Design your own authorization model for domain resources beyond the provided team-membership pattern.
See: Teams
Error Handling & Rate Limits¶
| Item | Status | What to verify |
|---|---|---|
| Rate limiting (100/hr anon, 1000/hr auth) | Ready | X-RateLimit-* headers on every response |
| Throttled responses | Ready | 429 with Retry-After header |
| Request correlation IDs | Ready | X-Request-ID header on every response, appears in logs |
| Idempotency keys | Ready | Idempotency-Key header on selected POST endpoints |
Fork owner action: Review default rate limits — tune for your traffic patterns. Consider adding per-endpoint throttle overrides for expensive queries.
See: API — Rate Limiting, API — Request Correlation IDs, API — Idempotency Keys
Webhooks¶
| Item | Status | What to verify |
|---|---|---|
| Webhook subscriptions (team-scoped) | Ready | CRUD API under /api/v1/teams/{team_id}/webhooks/ |
HMAC signing (X-SpeedPy-Signature) |
Ready | Consumers can verify payload authenticity |
| At-least-once delivery with retries | Ready | Exponential backoff, 8 attempts, dead-letter queue |
| Delivery logs and test endpoint | Ready | Inspect logs and send test events via API |
Event taxonomy (resource.sub_resource.action) |
Ready | v1 events: team.member.added, team.invitation.created, user.profile.updated |
Fork owner action:
- Ensure Celery is running for async webhook delivery
- Add domain-specific events via WebhookEvent in mainapp/webhooks/events.py
- Wildcard subscriptions (["*"]) automatically pick up new events
See: Webhooks
MCP & CLI Examples¶
| Item | Status | What to verify |
|---|---|---|
MCP server example (examples/mcp_server/) |
Ready | Exposes API tools for Claude, Cursor, etc. |
MCP tool generator (examples/mcp_server/generate_mcp_tools.py) |
Ready | Generates tools from OpenAPI schema |
CLI example (examples/cli/) |
Ready | PAT and device-flow auth |
Fork owner action: Extend the MCP server with tools for your domain resources. Use generate_mcp_tools.py to scaffold new tools from your OpenAPI schema.
See: Integrations — Starter examples
Versioning & Changelog¶
| Item | Status | What to verify |
|---|---|---|
URL-path versioning (/api/v1/...) |
Ready | All resource endpoints under version prefix |
Deprecation headers (Deprecation, Sunset) |
Ready | Pattern documented, ready to apply |
| 12-month support window for old versions | Ready | Policy documented |
| Changelog | Ready | Updated with each release |
Fork owner action: Bump SPECTACULAR_SETTINGS["VERSION"] when changing API surface. Record API changes in the changelog.
See: API Versioning, Changelog
Production Deployment Checklist¶
Before going live with integrations, strip demo content from your fork (demo API endpoints, scopes, and example references). See Production Readiness for the full guide.
Also verify:
- [ ]
ALLOWED_HOSTSset to your domain(s) - [ ]
SECRET_KEYandSALT_KEYset to unique production values - [ ]
DEBUG = False - [ ]
DCR_ENABLED = False(or add authentication to the registration endpoint) - [ ]
API_DOCS_PUBLICset according to your preference - [ ] HTTPS configured (required for OAuth2 and webhook URLs)
- [ ] Celery running with Redis/RabbitMQ broker (required for webhooks and background tasks)
- [ ] Rate limits tuned for expected traffic
- [ ] OAuth2 redirect URIs configured for production domain