Construction compliance API, SSO and signed webhooks: enterprise integrations arrive in Site Control
Site Control now ships enterprise integrations: a read-only construction compliance API with scoped account keys, SAML single sign-on with Okta or Microsoft Entra ID, and signed webhooks for real-time site events.
5 min read

TL;DR
Site Control now includes a read-only REST API with scoped account keys (projects, documents, workers, certifications, attendance), SAML single sign-on with Okta, Microsoft Entra ID or any SAML 2.0 provider, and HMAC-signed webhooks for five real-time site events. All three are Site Control tier features; SSO set-up is handled with our team.
In this guide
The Site Book's Site Control tier now ships with a read-only construction compliance API, SAML single sign-on and signed webhooks — the three integrations enterprise IT teams ask about before a principal contractor can roll out new site software. This post covers what each one does, the honest limits of the first release, and how to get access.
Site Control already runs the gate on live, multi-contractor sites: a permanent entrance QR, CSCS capture and review, induction gating before check-in, live attendance and audit-grade exports. What was missing was the plumbing that lets that compliance record flow into the systems the rest of your business already runs — your identity provider, your BI stack, your operations tooling. That is what this release adds.
Why construction compliance needs enterprise plumbing
When a principal contractor evaluates site software, the site team asks about induction gating and attendance. Procurement and IT ask different questions: can our people sign in through the company identity provider? Can we pull the data into our own reporting? Will your system tell ours when something changes on site? Until now, our answers were partial. From this release, all three are a straightforward yes on Site Control.
None of this changes how the site runs day to day. Workers still scan the entrance QR and sign in from their own phone; inductions still gate check-in. The difference is what happens around that record: who can see it, where it flows, and how quickly your other systems hear about it.
A read-only construction compliance API, by design
The API lives under /api/v1 and covers the records that matter for compliance reporting: projects, documents, workers, certifications and site attendance. You authenticate with account-scoped API keys, and every key carries explicit read scopes — read:projects, read:documents, read:workers, read:certifications and read:attendance — so a key minted for a certification dashboard can never fetch anything else.
Three design decisions worth knowing before you build:
- It is read-only, by design. Write scopes will be added later as separate, opt-in scopes, so a key you issue today never silently gains abilities.
- It is rate-limited and paginated. 120 requests per minute per key, with cursor pagination on every list endpoint — enough for dashboards and scheduled syncs, deliberately not a bulk-export channel. The Audit Pack and full ZIP export cover that job.
- It is documented machine-first. An OpenAPI 3.1 spec is published at /api/v1/openapi.json, so you can generate a typed client in your language instead of hand-writing one.
A practical example: your ops dashboard calls GET /api/v1/certifications?expiring_before=2026-08-01 each morning and lists every card and ticket that needs renewing across all of your sites — the same expiry data that drives the in-app alerts.
The full reference, including request and response examples for every endpoint, is at thesitebook.co.uk/docs/api.
Single sign-on with Okta or Microsoft Entra ID
Site Control now supports SAML single sign-on with Okta, Microsoft Entra ID, or any SAML 2.0 identity provider. The connection is based on your company email domain: once it is live, anyone signing in with an email on that domain is routed to your identity provider automatically. Joiners and leavers are managed where your IT team already manages them.
There is also an enforcement option. Require SSO turns The Site Book into a policy gate for team members on your domain: to use the app, they must have signed in through your identity provider. Two honest details enterprise IT will want to know. First, the account owner is always exempt — deliberately, as a break-glass, so an identity-provider outage can never lock your company out of its own compliance records. Second, enforcement is an access gate on the application, not a session-revocation tool.
SSO connections are provisioned with our team rather than self-serve: we exchange metadata with your IT admin, test the connection against your domain, and hand over the enforcement toggle. If you are on Site Control, ask us and we will set it up as part of onboarding.
Signed webhooks for real-time site events
Polling an API is the wrong tool for "tell me the moment something happens". Site Control webhooks push five events to your endpoints as they occur:
- document.generated — a RAMS, CPP, induction, emergency plan, toolbox talk or COSHH PDF finishes generating.
- document.signed — a worker signs a document from their phone via a sign-off link.
- certificate.expiring — a worker certification enters its expiry warning window.
- worker.checked_in — someone checks in to a site, from the portal, entrance QR, kiosk or dashboard.
- induction.acknowledged — a worker acknowledges the site induction.
Every delivery is signed with a Stripe-style HMAC-SHA256 signature in the X-TSB-Signature header, so your endpoint can verify the payload came from us and was not replayed. Failed deliveries retry automatically with increasing backoff — up to six attempts over roughly ten hours — every attempt is recorded in a delivery log in Settings → Integrations, and an endpoint that keeps failing is auto-disabled and flagged rather than silently dropping events.
You can register up to ten endpoints per account, each with its own signing secret, shown once at creation.
Who gets it, and how to start
All three are Site Control features. Google Drive, Xero, Zapier and Slack integrations remain available on paid plans, but SAML single sign-on, the public API and signed webhooks are part of the Site Control tier for principal contractors — alongside per-site contractor access, CSCS capture, induction gating, live attendance and audit-grade exports.
If you are already on Site Control: API keys and webhook endpoints are self-serve in Settings → Integrations today, and SSO starts with a message to our team. If you are evaluating: the enterprise integrations page has the detail, and a walkthrough of Site Control is the fastest way to see the whole tier against your own portfolio.
Create the first job pack free
Start with one real job: RAMS, CPP, COSHH record, induction and sign-off evidence. No card required. Review everything before you use it.
Create my free job pack →Frequently asked questions
Is the construction compliance API read-only?
Yes, by design. Every /api/v1 endpoint is read-only today, and write scopes will be added as separate, opt-in scopes so existing keys never gain abilities silently. It covers projects, documents, workers, certifications and site attendance, at 120 requests per minute per key.
Which identity providers does the SSO support?
Okta, Microsoft Entra ID, or any SAML 2.0 identity provider. The connection is domain-based, there is an option to require SSO across your company domain, and the account owner always keeps a break-glass sign-in. Set-up is handled with our team during Site Control onboarding.
Which webhook events are available?
Five events: document.generated, document.signed, certificate.expiring, worker.checked_in and induction.acknowledged. Each delivery is HMAC-SHA256 signed, retried automatically with increasing backoff (up to six attempts over roughly ten hours), and recorded in a delivery log.
Which plan includes the API, SSO and webhooks?
Site Control only. Google Drive, Xero, Zapier and Slack integrations are included on paid plans, but the enterprise trio — SAML SSO, the public REST API and signed webhooks — is part of the Site Control tier for principal contractors.