Authentication between end users and Flatfile
Flatfile customers can sign the session JWT from their server using a private key. This secures the session and prevents anyone without the private key from authorizing import control for the end user. An extra layer of verification can be added by signing the environment variables on a Portal 3.0 with a private key that is only known to you. This removes Flatfile as a possible vector.
Authentication between Flatfile customers and Flatfile
Flatfile customers can share a private key with Flatfile (that can be cycled regularly) used for signing user sessions (see above) and webhook payloads. This allows Flatfile customers to trust payloads being sent to a webhook as coming from Flatfile. If a Flatfile customer has signed the included environment variables with a private key known only to them, they can verify that the validation request is authorized and that not even Flatfile could have tampered with it.
By signing environment variables with your own private key, you are able to cryptographically secure authentication between you and your users without adding Flatfile as a vector that would require further security considerations. With this approach, you do not need to expose a user token that would grant Flatfile access to any API endpoints on behalf of the user.