Preparation only

Integration Security Readiness

A reviewer-safe overview of how SmartBiz plans to protect future Messenger and WhatsApp integration secrets for Australian property-agent lead conversations.

No tokens or live connection from this website. This page is static, read-only, and does not activate Messenger, WhatsApp, OAuth, Graph API, WhatsApp Cloud API, n8n, AI replies, or outbound replies.

Current safe state

SmartBiz is operated by E STREAM MEDIA EMPIRE, a Malaysia-registered business. SmartBiz helps agents review buyer intent, organize lead conversations, and prepare clearer next steps under human review.

  • No live OAuth.
  • No token storage.
  • No Graph API.
  • No WhatsApp Cloud API.
  • No n8n.
  • AI reply OFF.
  • Outbound queue OFF.
  • Webhooks fail closed for missing or invalid verification and signature checks.

Future security requirements

Owner-gated before implementation

  • Secure env insertion owner gate.
  • Encrypted token storage owner gate.
  • Tenant/page mapping owner gate.
  • Disconnect and revocation requirement before customer testing.
  • Audit logs without token values.
  • Human review and handoff before any outbound customer communication.

Threat controls

What must never happen

  • No token in browser UI, screenshots, docs, analytics, or error messages.
  • No token value in logs, chat, reports, commits, or support tickets.
  • No cross-tenant token or Page mapping.
  • No forged or replayed webhook accepted as trusted.
  • No accidental customer message or AI auto-reply.
  • No stale token retained after disconnect or revocation.

Future token classes

The following are design-only categories. This page contains no values and does not request any value.

  • Facebook Page access token: future encrypted server-side secret only.
  • WhatsApp Business token: future encrypted server-side secret only.
  • Webhook verify token: owner-only secret field, never documented with value.
  • App secret: owner-only secret field, never documented with value.
  • Future encryption key or KMS reference: owner-gated secure runtime configuration.

Data handling design

  • Store only token references in logs.
  • Use encrypted token fields in future server-side storage.
  • Map each token to the correct tenant, Page, WABA, or phone-number asset.
  • Track disconnect status and revocation timestamp.
  • Keep customer communication under human review until explicit enablement.

RED / HARD STOP gates

  • Env insertion.
  • Supabase schema migration.
  • Token storage implementation.
  • Real OAuth.
  • Page token exchange.
  • Graph API.
  • WhatsApp Cloud API.
  • n8n live connection.
  • AI reply enablement.
  • Live internal message test.