Skip to content

Integration Readiness Checklist

Overview

This checklist helps fork owners verify that all integration infrastructure is in place before exposing APIs to external consumers. Each item links to the relevant documentation.

The same checklist is available in condensed form in the SpeedPy README.

API Schema & Documentation

Item Status What to verify
OpenAPI schema at /api/schema/ Ready Returns valid OpenAPI 3.0 JSON/YAML
Swagger UI at /api/docs/ Ready Interactive docs load and list your endpoints
ReDoc at /api/redoc/ Ready Alternative docs render correctly
Integration manifest at /.well-known/speedpy.json Ready Machine-readable JSON with schema URLs, auth methods, scopes, and capabilities

Fork owner action: Add your custom endpoints. They appear automatically in the schema via drf-spectacular. Set API_DOCS_PUBLIC=True if docs should be public in production.

See: API

Authentication

Item Status What to verify
Session auth (browser) Ready Login via allauth, CSRF on writes
JWT (POST /api/auth/token/) Ready Access + refresh tokens, MFA gate, verified-email gate
Personal access tokens (PATs) Ready spd_-prefixed, hashed at rest, scoped, optional expiry
OAuth2 Authorization Code + PKCE Ready Third-party apps, ChatGPT Actions, automation platforms
OAuth2 Device Code Ready MCP servers, CLIs
Dynamic Client Registration (RFC 7591) Ready Optional — enabled by default in dev, disabled in prod

Fork owner action: Register OAuth2 applications for your integrations (Django admin or create_oauth2_app command). Set redirect URIs for your deployment domain.

See: Authentication, Integrations

Scopes & Permissions

Item Status What to verify
Built-in scopes (read:profile, write:profile, read:teams, write:teams, read:products, read:webhooks, write:webhooks, read:jobs, write:jobs, admin) Ready PAT form and OAuth consent show all scopes
Custom scope registration Ready Add to OAUTH2_PROVIDER["SCOPES"] in settings
Scope enforcement on views Ready HasScope permission class with required_scopes

Fork owner action: Register custom scopes for your domain resources (e.g. read:invoices, write:invoices). Set required_scopes on your API views.

See: Integrations — Available scopes, Integrations — Registering custom scopes

Teams & Multi-Tenancy

Item Status What to verify
Team model with roles (owner, admin, member) Ready Teams API and admin work
Team membership and invitations Ready Invitation flow and API endpoints respond
Team-scoped API resources Ready TeamModel base class for tenant isolation

Fork owner action: Inherit your domain models from TeamModel for automatic tenant scoping. Design your own authorization model for domain resources beyond the provided team-membership pattern.

See: Teams

Error Handling & Rate Limits

Item Status What to verify
Rate limiting (100/hr anon, 1000/hr auth) Ready X-RateLimit-* headers on every response
Throttled responses Ready 429 with Retry-After header
Request correlation IDs Ready X-Request-ID header on every response, appears in logs
Idempotency keys Ready Idempotency-Key header on selected POST endpoints

Fork owner action: Review default rate limits — tune for your traffic patterns. Consider adding per-endpoint throttle overrides for expensive queries.

See: API — Rate Limiting, API — Request Correlation IDs, API — Idempotency Keys

Webhooks

Item Status What to verify
Webhook subscriptions (team-scoped) Ready CRUD API under /api/v1/teams/{team_id}/webhooks/
HMAC signing (X-SpeedPy-Signature) Ready Consumers can verify payload authenticity
At-least-once delivery with retries Ready Exponential backoff, 8 attempts, dead-letter queue
Delivery logs and test endpoint Ready Inspect logs and send test events via API
Event taxonomy (resource.sub_resource.action) Ready v1 events: team.member.added, team.invitation.created, user.profile.updated

Fork owner action: - Ensure Celery is running for async webhook delivery - Add domain-specific events via WebhookEvent in mainapp/webhooks/events.py - Wildcard subscriptions (["*"]) automatically pick up new events

See: Webhooks

MCP & CLI Examples

Item Status What to verify
MCP server example (examples/mcp_server/) Ready Exposes API tools for Claude, Cursor, etc.
MCP tool generator (examples/mcp_server/generate_mcp_tools.py) Ready Generates tools from OpenAPI schema
CLI example (examples/cli/) Ready PAT and device-flow auth

Fork owner action: Extend the MCP server with tools for your domain resources. Use generate_mcp_tools.py to scaffold new tools from your OpenAPI schema.

See: Integrations — Starter examples

Versioning & Changelog

Item Status What to verify
URL-path versioning (/api/v1/...) Ready All resource endpoints under version prefix
Deprecation headers (Deprecation, Sunset) Ready Pattern documented, ready to apply
12-month support window for old versions Ready Policy documented
Changelog Ready Updated with each release

Fork owner action: Bump SPECTACULAR_SETTINGS["VERSION"] when changing API surface. Record API changes in the changelog.

See: API Versioning, Changelog

Production Deployment Checklist

Before going live with integrations, strip demo content from your fork (demo API endpoints, scopes, and example references). See Production Readiness for the full guide.

Also verify:

  • [ ] ALLOWED_HOSTS set to your domain(s)
  • [ ] SECRET_KEY and SALT_KEY set to unique production values
  • [ ] DEBUG = False
  • [ ] DCR_ENABLED = False (or add authentication to the registration endpoint)
  • [ ] API_DOCS_PUBLIC set according to your preference
  • [ ] HTTPS configured (required for OAuth2 and webhook URLs)
  • [ ] Celery running with Redis/RabbitMQ broker (required for webhooks and background tasks)
  • [ ] Rate limits tuned for expected traffic
  • [ ] OAuth2 redirect URIs configured for production domain