This guide provides recommendations for building robust, efficient integrations with the SymTrain API.
Authentication
API Key Security
Do:
- ✅ Store API keys in environment variables or secure credential stores
- ✅ Use different keys for development, staging, and production
- ✅ Rotate keys periodically (every 90 days recommended)
- ✅ Restrict key access to authorized personnel only
Don't:
- ❌ Hard-code API keys in source code
- ❌ Commit keys to version control
- ❌ Share keys via email or messaging apps
- ❌ Use production keys in development
Rate Limiting
Limits
- 100 requests per 5 minutes per API key
- Exceeding limits returns
429 Too Many Requests
Strategies
1. Implement Exponential Backoff
Code
2. Batch Operations
- Use bulk endpoints when available (e.g.,
/bulk-import) - Group related requests when possible
3. Caching
- Cache simulation library data (updates infrequently)
- Cache organization/team data locally
Error Handling
HTTP Status Codes
| Code | Meaning | Action |
|---|---|---|
| 200 | Success | Process response |
| 400 | Bad Request | Check request format |
| 401 | Unauthorized | Verify API key |
| 404 | Not Found | Verify resource ID |
| 429 | Rate Limited | Implement backoff |
| 500 | Server Error | Retry with backoff |
Robust Error Handling Pattern
Code
Pagination
Large Result Sets
Always handle pagination for:
- User lists (if > 100 users)
- Reports (if > 100 records)
- Historical data queries
Pattern:
Code
Data Validation
Before Sending Requests
Date Ranges
- Validate maximum 3-month (180-day) span for reports
- Use ISO 8601 format:
YYYY-MM-DD
CSV Files (Bulk Import)
- Validate row count ≤ 750
- Verify email === username
- Check role is "trainee"
- Validate status is ACTIVE or INACTIVE
IDs
- Verify organization ID exists
- Confirm user ID is valid before assignment
- Check simulation ID exists in library
Performance Optimization
1. Parallel Requests (When Possible)
Code
2. Minimize Payload Size
- Request only needed fields
- Use appropriate page sizes (100 is optimal)
3. Connection Pooling
- Reuse HTTP connections when making multiple requests
- Use keep-alive headers
Token Management
User Access Tokens
- Lifespan: 1 hour
- Purpose: Single-use deep-links for simulation access
- Best Practice: Generate fresh tokens for each user session
Code
Monitoring & Logging
What to Log
Essential:
- Request timestamps
- Response status codes
- Error messages
Optional:
- Request/response payloads (exclude sensitive data)
- Response times
- User IDs involved
Sample Logging
Code
Security Considerations
Data Protection
- Use HTTPS for all API requests (enforced by API)
- Validate and sanitize user input before sending to API
- Implement proper access controls in your application
- Don't expose API responses directly to end users
User Data
- Follow GDPR/privacy regulations
- Store minimal user data locally
- Implement data retention policies
- Secure transmission of user tokens
Testing
Recommended Testing Strategy
1. Unit Tests
- Validate request formatting
- Test error handling logic
- Verify pagination logic
2. Integration Tests
- Test against staging environment
- Verify complete workflows
- Test rate limit handling
3. Staging Environment
- Use separate API keys for testing
- Test with production-like data volumes
- Validate bulk operations
Common Pitfalls
| Issue | Solution |
|---|---|
| Hitting rate limits frequently | Implement request batching and caching |
| Token expiration errors | Generate tokens just-in-time, not in advance |
| Pagination missing records | Always check hasMore or compare record counts |
| Date range errors | Validate 180-day maximum before request |
| CSV upload failures | Validate format client-side before upload |
Next Steps
- API Reference - Complete endpoint documentation
- FAQ - Common questions
Last modified on