This checklist helps you verify that your implementation of the Reach Spec is complete, secure, and ready for testing. Use it as a final pass before handing off your API to Reach for validation and sync setup.
- API is publicly accessible over HTTPS
- HTTPS is secured with TLS 1.2 or higher (TLS 1.3 recommended)
- A valid SSL certificate is installed and trusted
- All required endpoints from the Reach Spec are implemented
- Responses are in valid JSON format
- Endpoints return correct HTTP status codes
- No unexpected fields or structures in any response
- Empty datasets return empty arrays (not errors or nulls)
- The partner implements OAuth 2.0 as the authentication method for the API
- Each customer has a unique access token scoped to their data
- Reach authenticates using
Authorization: Bearer <token>on each request - Tokens are long-lived or auto-renewable behind the scenes (no manual intervention required)
- Unauthorized requests return
401 Unauthorizedor403 Forbidden(not200 OKor HTML)
- Requests return within ~1–2 seconds under typical conditions
- No dynamic behavior that alters field names or response structures
- No rate-limiting that would block Reach during off-hours syncs
- All fields defined in the spec are present and correctly formatted
- The API has been tested using realistic customer data
- Responses have been checked against the official Reach Spec:
https://apispec.reachreporting.com/ - Authentication and sample requests have been validated using a tool such as Postman or cURL
- The API works without interactive login (no user session required)
- Base API URL is provided
- A valid client ID and client secret are provided to authenticate with the partner