mindtickle-security-basics

# MindTickle Security Basics ## Overview MindTickle integrations process employee PII through SCIM provisioning (names, emails, job titles, manager chains) and HR-sensitive data like course completion scores, certification status, and coaching assessments. The API uses bearer token authentication combined with a `Company-Id` header for multi-tenant isolation — omitting or spoofing this header can leak data across tenants. Webhook payloads carrying training completion events must be HMAC-verified to prevent injection of fraudulent compliance records. ## Prerequisites - Secrets manager (AWS SSM, GCP Secret Manager, or Vault) for API tokens - HTTPS enforced on all SCIM and webhook endpoints - `Company-Id` validated against an allowlist of known tenant identifiers - `.env` files in `.gitignore` — never committed to version control - Data retention policy for employee training records (GDPR/SOC2) ## API Key Management ```typescript // MindTickle requires both bearer token and company ID for multi-tenant isolation const MT_API_TOKEN = process.env.MINDTICKLE_API_KEY; const MT_COMPANY_ID = process.env.MINDTICKLE_COMPANY_ID; function validateMindTickleConfig(): void { if (!MT_API_TOKEN) throw new Error('Missing MINDTICKLE_API_KEY'); if (!MT_COMPANY_ID) throw new Error('Missing MINDTICKLE_COMPANY_ID'); } function mindtickleHeaders(): Record<string, string> { return { Authorization: `Bearer ${MT_API_TOKEN}`, 'Company-Id': MT_COMPANY_ID!, 'Content-Type': 'applic...