Skip to content
Tropikal Tropikal Docs

Connect Developer Security

Connectors are default-deny. Discovery can show candidate business objects, but nothing is exposed until a local admin grants access.

Setup Rules

  • Setup starts from the local admin screen.
  • Private setup state stays server-side.
  • Browser pages receive safe status only.
  • Administrators do not paste private credentials into Tropikal.
  • Disconnect and key rotation should be available from the connector admin UI where supported.

Grant Rules

Read, Write, and Delete are independent:

  • Read allows list, search, and get operations.
  • Write allows create or update operations.
  • Delete allows destructive operations only when explicitly enabled.

Write does not include Delete. Empty grants expose nothing.

Request Rules

Tropikal calls the connector with signed server-to-server requests. A connector must reject requests with stale timestamps, replayed nonces, modified bodies, wrong paths, wrong queries, unknown connections, disabled grants, or unsupported operations.

Expected input problems should return structured validation errors instead of raw server failures.

Data Rules

  • Reads return declared readable fields only.
  • Writes accept declared writable fields only.
  • Secret-shaped fields are rejected by default.
  • Public browser payloads must not contain private credentials.
  • Mutations should be audit logged without storing private credential material.

Confirmation

Risky writes, publishing, and destructive operations should require review or confirmation in the Tropikal workflow that uses the Connected Data.