• Documentation
    • Search documentation
    karat

    +

    K

    API Reference ↗
    Data connectivity & integrationData ConnectionListeners [Beta]Security

    Listener security

    Listeners differ from standard Foundry data ingestion, so ensure that you fully understand these security paradigms before enabling your connections.

    Request authorization

    Request interfaces for listeners are defined by external systems, so they do not conform to standard Foundry authentication or authorization mechanisms. Instead, listeners implement the security protocols laid out by those external systems, which vary widely.

    Palantir makes no guarantees about the suitability or effectiveness of these external system protocols. It is your responsibility as a user to ensure that you understand which guarantees each protocol does or does not provide for the incoming requests and data.

    The specific protocols implemented for each listener can be found in the Configuration step of the setup wizard, as well as the external system's documentation.

    The Twilio security protocol.

    Redaction and data security

    A minimal set of redactions are performed on the incoming data. It is important to note that these redaction mechanisms are best effort, and Palantir can not guarantee that sensitive data will be fully redacted.

    It is essential to secure both your listener and the output stream. This includes restricting access to both by placing them in a restricted project, as well as applying markings on the listener when necessary.

    Ingress allowlisting

    Requests to listeners are subject to the same ingress controls as the rest of your Foundry enrollment. Ensure that your enrollment's ingress policy has been appropriately configured to accept inbound connections from the external systems. Learn more about ingress configuration.

    If providers have not documented a range of IP addresses for ingress configuration, you may need to configure a broader ingress allowlist for the listener to work. For example, to configure a Slack listener hosted in an US-based AWS region, you may need to allowlist either all AWS IP addresses for your Slack instance's region (which are subject to change), or country-wide ingress for the US.

    For cases where a wide set of ingress is required but cannot be added to your enrollment, a proxy with a wider ingress allowlist can be set up externally to Foundry to forward requests from a set of known user-controlled IP addresses. These IP addresses can then be whitelisted.