Skip to main content

Written by Nicola Dobbie, Founder, The Site BookLast reviewed

Site Control · enterprise integrations

Construction compliance that talks to your systems.

The Site Book's Site Control tier connects construction compliance to your own systems: SAML single sign-on with Okta or Microsoft Entra ID, a read-only REST API covering projects, documents, workers, certifications and attendance, and signed webhooks for real-time site events.

curl "https://thesitebook.co.uk/api/v1/certifications?expiring_before=2026-08-01" \
  -H "Authorization: Bearer sb_live_..."

{
  "data": [
    {
      "id": "cm9x…",
      "worker_id": "cm7k…",
      "worker_name": "D. Kowalski",
      "name": "CSCS Card",
      "issued_at": "2024-08-14T00:00:00.000Z",
      "expires_at": "2026-07-28T00:00:00.000Z",
      "created_at": "2025-11-03T09:12:44.000Z"
    }
  ],
  "next_cursor": null
}

01Single sign-on

Sign in through the identity provider you already run.

Your IT team manages joiners and leavers in Okta or Microsoft Entra ID — Site Control plugs into that instead of adding another password to police. Connect your company domain over SAML, and optionally require SSO so sign-ins on your domain always go through your IdP.

Procurement asking about SSO? Point them at this page and the principal-contractor overview.

  • Okta, Microsoft Entra ID or any SAML 2.0 identity provider
  • Require SSO across your company email domain — team members on your domain sign in through your IdP
  • The account owner is always exempt — an identity-provider outage can never lock your company out
  • Set-up is handled with our team during Site Control onboarding

02Read-only REST API

Pull compliance data into your own reporting.

Feed your BI dashboard, data warehouse or in-house tools from the same records the site gate captures. The API is read-only by design — write scopes will arrive as separate, opt-in scopes so a key you issued today never silently gains abilities.

Full reference at /docs/api, machine-readable spec at /api/v1/openapi.json.

  • Projects, documents, workers, certifications and site attendance
  • Account-scoped API keys with enforced read scopes — shown once, revocable any time
  • 120 requests per minute per key, with cursor pagination
  • OpenAPI 3.1 spec at /api/v1/openapi.json — generate a typed client instead of hand-writing one

03Signed webhooks

React to site events as they happen.

Push real-time events into your own systems instead of polling: notify the compliance team, update a dashboard, or open a ticket the moment something on site changes.

document.generated

A RAMS, CPP, induction, emergency plan, toolbox talk or COSHH PDF finishes generating.

document.signed

A worker signs a document from their phone via a sign-off link.

certificate.expiring

A worker certification enters its expiry warning window.

worker.checked_in

Someone checks in to a site — portal, QR, kiosk or dashboard.

induction.acknowledged

A worker acknowledges the site induction.

  • Every delivery is signed with a Stripe-style HMAC-SHA256 signature (X-TSB-Signature) so you can verify it came from us
  • Automatic retries with increasing backoff — up to six delivery attempts over roughly ten hours — with a delivery log in Settings → Integrations
  • Endpoints that keep failing are auto-disabled and flagged — no silent black holes

The honest scope.

The API is read-only today — write scopes will be added as separate, opt-in scopes. Requiring SSO is an access-policy gate on the app for team members on your domain (the account owner keeps a break-glass sign-in); it is not a session-revocation tool. And the SSO connection itself is set up with our team during onboarding, not self-serve.

Where it helps and where it doesn't

Pros

  • SAML SSO with Okta, Microsoft Entra ID or any SAML 2.0 identity provider — with an option to require SSO across your company domain
  • Read-only REST API with scoped account keys covering projects, documents, workers, certifications and site attendance
  • OpenAPI 3.1 spec published at /api/v1/openapi.json — generate a typed client instead of hand-writing one
  • HMAC-SHA256-signed webhooks with automatic retries and a delivery log in Settings → Integrations

Cons

  • The API is read-only today — write scopes are planned as separate, opt-in scopes
  • SSO connections are provisioned with our team (sales-led), not self-serve
  • Site Control tier only — not included on Starter, Pro or Business

Enterprise integrations are included with Site Control

Starter

£0
  • Risk Assessments (RAMS)
  • Construction Phase Plans (CPP)
  • Site inductions

Pro

£30/mo
  • Risk Assessments (RAMS)
  • Construction Phase Plans (CPP)
  • Site inductions
  • COSHH assessments (standalone doc, SDS upload, site-specific register)
  • Worker cert tracking and expiry alerts
  • Right-to-work evidence records
  • Subcontractor tracking
  • Toolbox talks
  • Integrations (Drive, Xero, Zapier)

Business

£199/mo
  • Risk Assessments (RAMS)
  • Construction Phase Plans (CPP)
  • Site inductions
  • COSHH assessments (standalone doc, SDS upload, site-specific register)
  • Worker cert tracking and expiry alerts
  • Right-to-work evidence records
  • Subcontractor tracking
  • Toolbox talks
  • Integrations (Drive, Xero, Zapier)
  • Up to 5 internal team logins
  • Up to 25 active site portal users
  • Site attendance check-in/check-out
  • Multilingual worker inductions (9 languages)
  • Slack Site Ready readiness checks

Site Control

£675/site/mo
  • Single sign-on (SSO) with Okta or Microsoft Entra
  • Public REST API with scoped account keys
  • Signed real-time webhooks into your own systems
  • Risk Assessments (RAMS)
  • Construction Phase Plans (CPP)
  • Site inductions
  • COSHH assessments (standalone doc, SDS upload, site-specific register)
  • Worker cert tracking and expiry alerts
  • Right-to-work evidence records
  • Subcontractor tracking
  • Toolbox talks
  • Integrations (Drive, Xero, Zapier)
  • Up to 5 internal team logins
  • Up to 25 active site portal users
  • Site attendance check-in/check-out
  • Multilingual worker inductions (9 languages)
  • Slack Site Ready readiness checks
  • Permanent entrance QR: guest sign-in and contractor self-join
  • CSCS credential capture, review and expiry alerts
  • Digital induction gating before check-in
  • Live people-on-site, attendance and audit-grade exports

Running live sites with subcontractors? Site Control is the per-site enterprise tier above Business — entrance QR sign-in, CSCS checks, induction gating, live attendance and audit-grade exports. From £675/site per month, plus £5,000 setup.

Enterprise integration questions

Is the API really read-only?

Yes, by design. Every /api/v1 endpoint is read-only today, and write scopes will be added as separate, opt-in scopes so existing keys never gain abilities silently. It covers projects, documents, workers, certifications and site attendance.

Which identity providers does SSO support?

Okta, Microsoft Entra ID, or any SAML 2.0 identity provider. The connection is based on your company email domain, so workers and guests on other domains are unaffected.

What happens when we require SSO across our domain?

Team members on your company email domain must sign in to The Site Book through your identity provider to use the app. It is an access-policy gate on the application, not a session-revocation tool — and the account owner always keeps a direct sign-in as a break-glass, so an identity-provider outage can never lock your company out.

Which webhook events are available?

Five events: document.generated, document.signed, certificate.expiring, worker.checked_in and induction.acknowledged. Each delivery is HMAC-SHA256 signed, retried automatically with increasing backoff (up to six attempts over roughly ten hours), and recorded in a delivery log.

What are the API rate limits?

120 requests per minute per API key. List endpoints use cursor pagination with up to 100 records per page. The OpenAPI 3.1 spec at /api/v1/openapi.json documents every endpoint, parameter and response shape.

How do we get access?

SSO, the API and webhooks are part of the Site Control tier. API keys and webhook endpoints are self-serve in Settings → Integrations once you are on Site Control; the SSO connection to your identity provider is set up with our team during onboarding. Book a walkthrough to get started.

Are these included on Business plans?

No. Google Drive, Xero, Zapier and Slack integrations are included on paid plans, but SAML SSO, the public REST API and signed webhooks are Site Control only.

SSO · read-only API · signed webhooks

Bring compliance data to the systems your business already runs.

Comparing options first? See how Site Control stacks up as the best construction site access software in the UK, or read the head-to-heads against MSite and Donseed.