API security

Security controls operate at three points: token issuance, request handling, and outbound webhook delivery.

Scopes

API credentials are scoped to a defined set of operations at the time they are issued. Every call is checked against those scopes before any business logic runs. Calls that fall outside the authorized scope are rejected at the authentication layer.

Tenants manage their credentials and the scopes attached to each set from the Dashboard.

Rate limits

Carriyo applies rate limits at the per-tenant and per-endpoint level to protect availability and prevent abuse. When a client exceeds the applicable limit, Carriyo returns HTTP 429 with a Retry-After header. Integrations should honor that header and apply exponential back-off on repeated throttles.

Webhook authentication

Outbound webhooks are authenticated using credentials the tenant configures on each webhook endpoint. Carriyo supports OAuth 2.0 and API-key authentication, scoped per tenant. You can rotate those credentials at any time from the Dashboard.

Authenticating every outbound delivery gives the receiving system a verifiable guarantee that the call came from Carriyo, and from your tenant specifically, rather than an unknown third party.