All outside communication is always TLS encrypted. For communication with APARIs control API additional security steps are taken. Some of them can be switched off in the sandbox to allow easier integration testing. Those are marked with an asterisk (*). Data provided by the sandbox will never be a real persons full data set. Those are only available in production where all security mechanisms apply.

Sending commands to APARIs control API requires* a mutual TLS connection. Also all incoming communication must arrive from previously whitelisted IP addresses (on Sandbox 0.0.0.0/0 can be whitelisted). Authentication is done via the OAuth2 Client Credentials Grant. The client secrets are generated and are maintained in the Admin Panel.

The webhooks require a valid SSL Certificate to be provided. Its needs to be signed by a known Certificate Authority.