# Developer Checklist

## Purpose

This checklist helps you verify that your implementation of the Reach Spec is complete, secure, and ready for testing. Use it as a final pass before handing off your API to Reach for validation and sync setup.

## General Setup

- API is publicly accessible over HTTPS
- HTTPS is secured with TLS 1.2 or higher (TLS 1.3 recommended)
- A valid SSL certificate is installed and trusted
- All required endpoints from the Reach Spec are implemented
- Responses are in valid JSON format
- Endpoints return correct HTTP status codes
- No unexpected fields or structures in any response
- Empty datasets return empty arrays (not errors or nulls)


## Authentication

- The partner implements OAuth 2.0 as the authentication method for the API
- Each customer has a unique access token scoped to their data
- Reach authenticates using `Authorization: Bearer <token>` on each request
- Tokens are long-lived or auto-renewable behind the scenes (no manual intervention required)
- Unauthorized requests return `401 Unauthorized` or `403 Forbidden` (not `200 OK` or HTML)


## Behavior & Stability

- Requests return within ~1–2 seconds under typical conditions
- No dynamic behavior that alters field names or response structures
- No rate-limiting that would block Reach during off-hours syncs
- All fields defined in the spec are present and correctly formatted


## Testing & Validation

- The API has been tested using realistic customer data
- Responses have been checked against the official Reach Spec:
https://apispec.reachreporting.com/
- Authentication and sample requests have been validated using a tool such as Postman or cURL
- The API works without interactive login (no user session required)


## Delivery to Reach

- Base API URL is provided
- A valid client ID and client secret are provided to authenticate with the partner