Built-In Security #

HighLevel Sync implements multiple layers of security:

Authentication & Encryption #

• OAuth2 — Industry-standard authentication flow.
• Encrypted storage — All credentials encrypted using WordPress salts before database storage.
• Auto token refresh — Tokens are refreshed automatically with circuit-breaker protection.

Request Security #

• Nonce verification — All AJAX requests validated with WordPress nonces.
• Capability checks — Admin operations require appropriate user capabilities.
• Input sanitization — All inputs are sanitized; all outputs are escaped.

Webhook Security #

• Shared-secret verification — Webhooks validated via x-ghl-token header.
• Payload size limit — 256 KB maximum to prevent abuse.

Data Protection #

• Log redaction — Tokens, secrets, and authorization headers are automatically redacted in sync logs.
• Rate limiting — Burst (100/10s) and daily (200K) limits protect your GHL API quota.