# Important conventions, best practices, and next steps

Here are some important conventions to remember while working with Spotnana APIs:

- Send and receive API requests and responses in `application/json` format.
- All requests require `Authorization: Bearer <access_token>`.
- Be sure to store the UUID values returned when creating resources on the platform (e.g., creating a new user).
- All update APIs (e.g., update an user profile) require you to send the complete object.
- See [error handling](/spotnana/error_handling) to learn more about standard HTTP error codes.


## Security and best practices

The following are some important security recommendations and best practices:

### Credential management

- Store credentials in secure vaults (e.g., AWS Secrets Manager, HashiCorp Vault).
- Never commit credentials to source code repositories.
- Use environment variables for configuration.
- Rotate the `clientSecret` regularly (we recommend every 90 days).
- Use separate credentials for sandbox and production.


### Access controls

- Implement IP-based access controls where possible.
- Use least-privilege access principles.
- Review and audit access permissions regularly.


### Logging and monitoring

- Log all API requests and webhook receipts.
- Monitor for unusual access patterns.
- Set up alerts for authentication failures.
- Maintain audit trails for compliance.


### Incident response

- Develop a security incident response plan.
- Know how to contact the Spotnana integration team.
- Document security incidents and resolutions.


## What to do next?

- Explore the [API developer documentation](/) to better understand the full capabilities of the APIs. Refer to following sections for more specific information:
  - [Concepts](/spotnana/concepts_intro) to learn more about the terminology used on the platform (e.g., What's a trip?).
  - [Workflows](/spotnana/user_workflow_intro) to understand the complete list of integrations you can build using the APIs.
  - [Guides](/guides/guides-landing-page) to get more details on a specific feature and read instructions on how to use it.
  - [API reference](/openapi/authapi) to view the complete schema along with samples for all the APIs.
- Set up [webhooks](/webhooks/webhook-main-intro) if you need event-driven updates delivered to your custom endpoint. See [webhook reference](/openapi/webhookeventapi/webhooks) for the list of events we currently support.
- Use [changelog](/releases/changelog) to track updates made to our APIs.