Skip to main content

Enterprise integrations: SSO, API keys and webhooks

Site Control

On Site Control, Settings → Integrations grows three extra cards: Public API, Webhooks and Single sign-on (SSO) — for owners and admins.

Mint an API key

  1. Open Manage API keys and click Create API key.

  2. Name it and tick the scopes it needs.

    Keys are scoped — a reporting key doesn't need attendance access.

  3. Copy the key immediately — it's only shown once.

    Revoke kills a key instantly if it leaks.

Add a webhook endpoint

  1. Open Manage webhooks and click Add endpoint.

  2. Enter your HTTPS delivery URL and tick the events you want.

  3. Copy the signing secret — shown once — and verify the X-TSB-Signature header on deliveries.

    Test sends a test delivery; Recent deliveries shows the log; endpoints can be disabled or deleted any time.

Docs and availability

The full API reference (endpoints, scopes, OpenAPI spec, webhook payloads) lives at thesitebook.co.uk/docs/api. SSO, the API and webhooks are Site Control only — Zapier, Drive, Xero and Slack cover the self-serve plans.

Frequently asked questions

Can the API create or update data?

No — the v1 API is read-only by design. Scopes cover projects, documents, workers, certifications and attendance, rate-limited at 120 requests a minute. Full reference at thesitebook.co.uk/docs/api.

How do I set up SSO?

SSO set-up is done with our team — Okta, Microsoft Entra ID or any SAML 2.0 provider. Email [email protected] to get started; it typically takes one working day. Once active you can flip "Require SSO" to enforce it for your whole team (the owner keeps break-glass access).

What events do webhooks send?

Documents generated and signed, certificates expiring, workers checking in, and inductions acknowledged — signed with HMAC-SHA256 so your systems can verify each delivery.

Related guides

Didn't answer it? Email [email protected] — we reply within 24 hours.