Skip to content
CallingEdge Docs

Credentials

Calling our API

Section titled “Calling our API”

Every request you make to /api/integrations/* carries a bearer token we issue you:

Authorization: Bearer <your-token>

Tokens are scoped to your account. Rotate them at any time from your CallingEdge admin contact; old tokens stop working immediately on revocation.

Webhook delivery (CallingEdge → your URL) is signed. See the webhook contract for the verification scheme.

Webhook intake (your platform → CallingEdge) is signed by each upstream platform using their own scheme (HMAC headers, IP allowlists, mTLS). We verify those for you.

Your platform credentials

Section titled “Your platform credentials”

Each platform page lists the credentials we need from you (OAuth client IDs and secrets, SIP trunk endpoints, IAM keys, queue IDs, etc.). You have two options for where they live.

Default: we hold them in AWS Secrets Manager

Section titled “Default: we hold them in AWS Secrets Manager”
  • Stored in AWS Secrets Manager, encrypted at rest with KMS, scoped per tenant.
  • Each value is namespaced to your account only: no shared blobs, no cross-tenant access.
  • Every read is audited; you can request the audit log at any time.
  • Rotation is supported through the same secure intake; we cut over without dropping calls.
  • You can revoke us at any time by rotating on your side; we will start failing health checks immediately, and you will see it in the provider health endpoint.

We do not ask you to email, Slack, or text us credentials. We send you a one-time secure intake link for each value, which writes straight to the secret store and is then invalidated.

Bring your own secret store

Section titled “Bring your own secret store”

If you run your own secret manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, Azure Key Vault), we can read credentials at call time from a reference you give us instead of holding the value ourselves.

You provide:

  • The secret reference (e.g. an ARN or a Vault path)
  • An IAM trust we can assume with a least-privilege policy
  • (Optional) an external_id we should send on the assume-role for shared-customer separation

We never store the secret value; every call pulls fresh from your store. If you revoke our IAM trust, calls start failing the next time they need that credential.

Ask us about this when you scope the integration.