Enterprise integrations: SSO, API keys and webhooks
Site Control
On Site Control, Settings → Integrations grows three extra cards: Public API, Webhooks and Single sign-on (SSO) — for owners and admins.
Mint an API key
Open Manage API keys and click Create API key.
Name it and tick the scopes it needs.
Keys are scoped — a reporting key doesn't need attendance access.
Copy the key immediately — it's only shown once.
Revoke kills a key instantly if it leaks.
Add a webhook endpoint
Open Manage webhooks and click Add endpoint.
Enter your HTTPS delivery URL and tick the events you want.
Copy the signing secret — shown once — and verify the X-TSB-Signature header on deliveries.
Test sends a test delivery; Recent deliveries shows the log; endpoints can be disabled or deleted any time.
Docs and availability
The full API reference (endpoints, scopes, OpenAPI spec, webhook payloads) lives at thesitebook.co.uk/docs/api. SSO, the API and webhooks are Site Control only — Zapier, Drive, Xero and Slack cover the self-serve plans.
Frequently asked questions
Can the API create or update data?
No — the v1 API is read-only by design. Scopes cover projects, documents, workers, certifications and attendance, rate-limited at 120 requests a minute. Full reference at thesitebook.co.uk/docs/api.
How do I set up SSO?
SSO set-up is done with our team — Okta, Microsoft Entra ID or any SAML 2.0 provider. Email [email protected] to get started; it typically takes one working day. Once active you can flip "Require SSO" to enforce it for your whole team (the owner keeps break-glass access).
What events do webhooks send?
Documents generated and signed, certificates expiring, workers checking in, and inductions acknowledged — signed with HMAC-SHA256 so your systems can verify each delivery.
Related guides
Didn't answer it? Email [email protected] — we reply within 24 hours.