Integrations
Make sure external services work reliably — because third-party dependencies are common failure points.
Run this audit when adding new integrations, before launch, or when experiencing reliability issues with external services.
Useful for developers and ops teams managing external dependencies.
Why This Matters
Your app is only as reliable as its weakest integration. When payment processing goes down, users can't buy. When email fails, users don't get notifications. External services will fail eventually — the question is whether your app handles it gracefully or crashes spectacularly.
What to Check
Focus on these four areas when reviewing integrations:
API Connections
Are API calls reliable? Check that credentials are secure, timeouts are configured, rate limits are handled, and errors show helpful messages instead of crashing.
Webhooks
Are webhooks handled safely? Verify signatures, handle duplicates, process asynchronously, and make sure the same webhook twice doesn't cause problems.
Resilience
What happens when services fail? Implement retry logic, circuit breakers, and graceful degradation so one failing service doesn't take down your entire app.
Monitoring
Do you know when integrations fail? Track error rates, latency, and availability for all external services. Get alerted before users notice problems.
Stage Expectations
What integration standards apply at each stage:
Skip
Mock integrations acceptable. No reliability needed. Just prove the concept.
Light
Real integrations working. Basic error handling. Tokens not hardcoded.
Full
Retry logic in place. Fallbacks defined. Rate limits handled.
Complete
Circuit breakers active. Service health monitored. Degraded mode tested.
Circuit Breaker Pattern
Prevent cascade failures when services go down:
Closed (Normal)
Requests pass through. Failures are counted.
Open (Tripped)
Requests blocked. Fallback used. Waits for timeout.
Half-Open (Testing)
Limited requests allowed. Success closes, failure reopens.
Common Issues
API key exposed in browser
Move API calls to server-side routes. Never expose secrets to client code.
No timeout on API calls
Add timeout (e.g., 30 seconds) to all external requests
One failing service crashes everything
Implement circuit breaker pattern and graceful degradation
Webhook duplicates cause duplicate charges
Store event IDs, check before processing side effects
Rate limited with no recovery
Parse Retry-After header, implement exponential backoff
Run with AI: Use /audit integrations to have an AI agent check your integration setup. The agent will look for exposed credentials, missing timeouts, and error handling gaps.
Next Steps
Continue your quality review: