Quick Reference
| Section | Description |
|---|---|
| Core Services | Dashboard, API, reporter, WebSocket |
| Authentication & Billing | Auth endpoints, payment webhooks |
| Integrations | GitHub webhooks, third-party connectors |
| Internal Services | AI analytics, health checks, artifact storage |
| Network Security | CORS, TLS, rate limiting, security headers |
| Firewall Config | Domains to allowlist |
Core Services
| Endpoint | Description |
|---|---|
app.testdino.com | Web application: dashboard, test results, analytics, settings |
api.testdino.com | Primary API: authentication, test data, project management, client-server communication |
api.testdino.com/api/reports/playwright | Reporter endpoint: receives test results via API key authentication |
api.testdino.com/stream | WebSocket: real-time test result updates |
Authentication & Billing
| Endpoint | Description |
|---|---|
api.testdino.com/api/auth | Login, registration, OAuth callbacks, password reset, email verification |
api.testdino.com/api/v1/webhooks/razorpay | Payment webhook: receives events from Razorpay (signature-verified) |
Integration Services
| Endpoint | Description |
|---|---|
api.testdino.com/api/integrations/v1/github/webhook | GitHub webhook: push events and PR updates (verified via X-Hub-Signature-256) |
| Integration service (internal) | Manages Jira, Linear, Asana, Slack, Monday.com connections. Not internet-facing. Accessed via the primary API. |
Internal Services
| Service | Description |
|---|---|
| AI service (internal) | Test analysis: run insights, failure classification, project analytics. FastAPI/Python. Not internet-facing. |
api.testdino.com/health | Health check for monitoring and load balancer probes |
| Azure Blob Storage | Artifact storage: screenshots, videos, traces. Access via time-limited SAS tokens (48-hour expiry). |
Network & Security
CORS
The API enforces strict CORS policies:- Only explicitly configured origins are allowed (no wildcard
*) - Origins are defined per environment via
CORS_ORIGINconfiguration
TLS
- All endpoints enforce HTTPS (TLS 1.2+)
- HTTP requests redirect to HTTPS
- Certificates are managed via hosting infrastructure
Rate Limiting
| Endpoint | Limit |
|---|---|
| Login | 10 requests / 15 minutes |
| Registration | 5 requests / 15 minutes |
| Email verification | 3 requests / 60 minutes |
| Password reset | 2 requests / 60 minutes |
| Global API | 1,000 requests / 15 minutes |
Security Headers
All responses include headers via Helmet:Content-Security-Policy(CSP)X-Frame-OptionsX-Content-Type-OptionsStrict-Transport-Security(HSTS)
Firewall Configuration
If your organization uses network-level allowlisting, add these domains:| Domain | Required For |
|---|---|
app.testdino.com | Dashboard access |
api.testdino.com | API, reporter submission, webhooks, WebSocket streaming |
| Azure Blob Storage domain | Artifact uploads and downloads |
Related
Review what data is collected and how long it is retained.Access to Customer Data
Full list of data TestDino collects
Data Retention
Retention periods by tier and data category