Security
Admin access
Section titled “Admin access”Kotally admin users sign in with workspace accounts. Admin pages require a valid session, enforce workspace ownership of GoHighLevel locations, and protect form submissions with CSRF checks.
Use the least-privileged role that fits each teammate:
- Owner: billing, users, and full configuration.
- Admin: operational configuration and support workflows.
- Viewer: read-only support access.
GoHighLevel connection
Section titled “GoHighLevel connection”GoHighLevel OAuth tokens are stored by installation and location. Webhooks should be signed with the Marketplace app shared secret so Kotally can verify incoming GoHighLevel events.
The embedded app validates signed GoHighLevel context before creating an embed session. Do not place embed URLs in public pages or share signed launch URLs outside GoHighLevel.
API clients
Section titled “API clients”Create API clients only for trusted automations. Each token has scopes such as grant, check, deduct, restore, and summary, plus allowed locations.
Operational rules:
- Store tokens in a secret manager, not source code.
- Rotate a token from Admin -> API Clients if it may be exposed.
- Deactivate clients that are no longer used.
- Send stable
request_idvalues for retry-safe mutations. - Monitor replay and rate-limit records when diagnosing automation issues.
Billing and customer data
Section titled “Billing and customer data”Billing is handled through Stripe checkout and the customer portal. Do not collect card data directly in Kotally support conversations.
Customer records shown in Kotally are operational data from GoHighLevel events, API grants, and payment events. Limit staff access to the locations they support.