What is API integration and how long does it take?
API integration connects a software product to a third-party service's Application Programming Interface (API) enabling the product to read and write data from that service programmatically. Examples: integrating Stripe's API to process payments, connecting Twilio's API to send SMS, or linking HubSpot's API to synchronise customer data. Timeline: simple single-API integration (one service, standard authentication, 3-5 API endpoints) takes 2-3 weeks including authentication setup, endpoint implementation, error handling, webhook consumer, and testing. Complex integrations (multiple endpoints, complex data transformation, bidirectional sync) take 3-6 weeks. ClickMasters prices all API integrations as fixed-price after a scoping call.
What is a webhook and how is it different from polling?
A webhook is an HTTP callback from a third-party service to your application when an event occurs instead of your application repeatedly asking the service "has anything changed?" (polling), the service proactively tells you when something happens. Example: Stripe sends a webhook every time a payment is processed, subscription renews, or payment fails your application processes each event in real time rather than checking Stripe every 5 minutes. Webhooks are preferred because they are real-time, lower in API usage (no wasted polling calls), and more reliable (no missed events due to polling frequency). Key webhook implementation requirements: return 200 OK within 5-10 seconds, verify webhook signature (HMAC validation reject unsigned requests), and handle duplicate delivery idempotently (same event may be delivered multiple times).
What is OAuth 2.0 and why does it matter for API integrations?
OAuth 2.0 is the industry-standard protocol for authorising third-party applications to access a user's data on a service without sharing the user's password. It enables "Sign in with Google/GitHub/Microsoft" (user authorises your application to read their email and profile) and "Connect your Salesforce account" (user authorises your application to read/write their Salesforce data). The OAuth 2.0 Authorization Code with PKCE flow is correct for web and mobile: user redirected to provider's authorisation page, approves scopes, redirected back with authorisation code → exchanged for access and refresh tokens. Security requirements: PKCE (prevents authorisation code interception), state parameter (CSRF protection), HttpOnly cookie for token storage (not localStorage), and refresh token rotation (each refresh generates new token, invalidating old one).
How do you handle API rate limits in production?
Third-party API rate limits are a common production integration failure mode. ClickMasters implements: rate limit header inspection (most APIs return X-RateLimit-Remaining and X-RateLimit-Reset read these to know when limit resets), exponential backoff with jitter (on 429 Too Many Requests, wait with random jitter before retrying prevents thundering herd), request queuing (put API calls into job queue with rate limiter BullMQ limits queue to N requests/second across all workers), and request batching (Salesforce Bulk API, HubSpot Batch API send 100-200 records in one request instead of separate requests). ClickMasters documents the rate limit of every API integrated and designs the integration architecture to stay within limits at peak load.
