#Security Best Practices
Follow these practices to keep your TheVibeCRM integrations and webhook endpoints secure.
- Keep webhook secrets private — never expose them in client-side code, public repos, or logs.
- Use HTTPS — all webhook endpoints should be accessed over HTTPS to prevent secret interception.
- Rotate secrets if compromised — delete the listener and create a new one to generate a fresh secret.
- Restrict Supabase keys — if using the Supabase integration, prefer the
anonkey with appropriate RLS policies over theservice_rolekey. - Monitor webhook activity — check the "Last Synced" timestamp on your listeners to ensure they're receiving data.
- Stripe keys — use Stripe restricted keys with only the permissions you need when possible.
- Google Calendar — TheVibeCRM only requests read-only scopes; revoke access anytime from your Google Account permissions.
#Field Mapping Reference
When configuring a Supabase listener, you map your source columns to these lead fields:
| Lead Field | Type | Required | Default | Description |
|---|---|---|---|---|
name | String | Yes | — | The lead's full name |
email | String | Yes | — | The lead's email address |
phone | String | No | null | Phone number |
companyName | String | No | null | Company name |
companyUrl | String | No | null | Company website URL |
source | String | No | "Supabase" | Where the lead came from |
value | Decimal | No | 0 | Monetary value associated with the lead |
recurrence | String | No | "One-time" | "One-time" or "Recurring" |