API Inventory & Dependency Map

Purpose: Track all external API dependencies, credentials, rate limits, and health status.

Authentication Methods

Service	Auth Type	Credentials Path	Token Refresh
Zoho (all)	OAuth 2.0	(not yet implemented)	Auto
Google Calendar	OAuth 2.0	/credentials/google-calendar-*.json	Auto
Google Drive	OAuth 2.0	/credentials/google-drive-*.json	Auto
Gmail	OAuth 2.0	(not yet implemented)	Auto
Fathom	API Key	/credentials/fathom-api.json	N/A
Vultr	API Key	/credentials/vultr-api.json	N/A
UPS	OAuth 2.0	/credentials/ups-api.json	Auto (cache: ups-token.json)
Quo	API Key	/credentials/quo-api.json	N/A
Tailscale	(system)	Host-level daemon	N/A

Zoho Ecosystem (CRITICAL - Primary Business Systems)

Services Used

1. Zoho CRM - Customer relationship management
2. Zoho Books - Accounting, invoicing
3. Zoho Desk - Customer support ticketing
4. Zoho Cliq - Team chat
5. Zoho Analytics - Business intelligence
6. Zoho Creator - Custom apps

Current Status

• Auth: 🔴 Not implemented
• Credentials: Need OAuth setup
• Rate Limits: Unknown (need to verify per service)
• Critical For: Tier 2 operational automation (CRM workflows, financial automation)
• Priority: HIGH (blocks Tier 2 graduation)

Required Scopes (to be determined)

• CRM: Read contacts, deals, accounts; write notes, tasks
• Books: Read invoices, expenses; write payments
• Desk: Read tickets; write responses, status updates
• Cliq: Send messages, read channels (for notifications)

Google Services

Google Calendar

• Status: ✅ Operational
• Auth: OAuth 2.0 (auto-refresh working)
• Tokens: /credentials/google-calendar-tokens.json
• Client Secret: /credentials/google-calendar-client-secret.json
• Scopes: calendar.readonly
• Rate Limits: 1M requests/day (well within usage)
• Used By:
  • Daily schedule briefings (10 PM PT)
  • Early morning event warnings (6 PM PT)
  • Tool: tools/google-calendar-list.py

Google Drive

• Status: ✅ Operational
• Auth: OAuth 2.0 (auto-refresh working)
• Tokens: /credentials/google-drive-tokens.json
• Scopes: drive.readonly, drive.metadata.readonly
• Rate Limits: 20K requests/day/user
• Used By:
  • Meeting notes search: tools/gdrive-search.py
  • Information retrieval (before asking user)
  • Tool: tools/gdrive-search.py

Gmail (Planned)

• Status: 🟡 Not yet implemented
• Auth: OAuth 2.0 (need to set up)
• Required Scopes: gmail.readonly, gmail.send (draft mode initially)
• Rate Limits: 1B quota units/day (1 send = 100 units)
• Use Cases:
  • Email approval drafts
  • Inbox monitoring (urgent flags)
  • Notification delivery
• Priority: MEDIUM (Tier 2 requirement)

Infrastructure Services

Vultr (VPS Hosting)

• Status: ✅ Operational
• Auth: API Key
• Credentials: /credentials/vultr-api.json
• API Docs: https://www.vultr.com/api/
• Rate Limits: Undocumented (reasonable use)
• IP Allowlist: 144.202.121.97 (VPS must be in allowlist)
• Used By:
  • Weekly snapshot automation: tools/vultr-snapshot.sh
  • Cron: Sundays 10 PM PT
  • Rotation: Keep 4 most recent snapshots

Tailscale (Secure Networking)

• Status: ✅ Operational
• Auth: System-level daemon (host)
• Install: Host-level (survives container rebuilds)
• Device Name: minnie-core
• IP: 100.72.11.53
• Used By:
  • Markdown server access
  • Quo webhook endpoint
  • Remote VPS access from phone/laptop

Communication Services

Quo (Business SMS)

• Status: ✅ Operational (webhook fixed Feb 15, 2026)
• Auth: API Key
• Credentials: /credentials/quo-api.json
• API Docs: https://docs.quo.io
• Rate Limits: Unknown (enterprise account)
• Phone Number: (385) 485-5863 (maps to Quan's personal phone)
• ⚠️ CRITICAL: NEVER use (562) 451-8061, (626) 828-8000, (661) 386-4777, (986) 886-4673
• Used By:
  • Inbound SMS → Telegram: tools/quo-webhook-handler-v2.py
  • Outbound SMS: tools/quo-messaging.py (manual trigger)
  • Systemd service: quo-webhook.service (host-managed)
  • Webhook URL: https://sms-7f2a1b.relay9kq.us/ (port 18791)

Telegram (Primary Interface)

• Status: ✅ Operational
• Auth: Built-in OpenClaw integration
• Bot: @MinnieAssistantBot
• Groups:
  • Main session (Quan direct)
  • Infrastructure & Tech (this group)
  • Other project groups
• Capabilities: Inline buttons, reactions, topic threads
• Rate Limits: 30 messages/sec to different chats

Meeting & Productivity

Fathom (Meeting Transcription)

• Status: ✅ Operational
• Auth: API Key
• Credentials: /credentials/fathom-api.json
• API Docs: https://docs.fathom.video
• Rate Limits: Unknown (generous for paid tier)
• Used By:
  • Webhook notifications: data/webhook/processed/
  • Meeting search: tools/fathom-search.py (to be implemented)
  • Auto-save transcripts to Drive
• Note: Deduplication needed (currently sends duplicate notifications)

Shipping & Logistics

UPS (Package Tracking)

• Status: ✅ Operational
• Auth: OAuth 2.0
• Credentials: /credentials/ups-api.json
• Token Cache: /credentials/ups-token.json (auto-refreshed)
• Account: 15BR09 (Quan's business account)
• API Docs: https://developer.ups.com
• Rate Limits: Varies by endpoint
• Used By:
  • Package tracking: tools/ups-track.py <tracking_number>
  • Returns: Status, location, timestamp, delivery confirmation

API Health Monitoring (Planned)

Metrics to Track

• Response Time: P50, P95, P99 latency per endpoint
• Error Rate: 4xx, 5xx responses
• Token Health: OAuth token expiration warnings (7 days before)
• Rate Limit Usage: % of quota consumed
• Availability: Uptime % per service

Alerting Thresholds

• Critical: Service down, all requests failing
• Warning: Error rate >5%, latency >2s P95, token expires <24h
• Info: Token expires <7 days, rate limit >80% consumed

Implementation Status

• Status: 🔴 Not implemented
• Next Step: Create tools/api-health-check.py with basic ping tests
• Schedule: Every 15 minutes via cron
• Delivery: Telegram alert to Infrastructure & Tech group (this chat)

Credential Rotation Policy

API Keys (Static)

• Review: Quarterly (Mar, Jun, Sep, Dec)
• Rotation Trigger: Suspected compromise, employee offboarding
• Services: Fathom, Vultr, Quo

OAuth Tokens (Auto-Refresh)

• Review: Token refresh failures only
• Manual Intervention: Only if auto-refresh fails 3x
• Services: Google (Calendar, Drive, Gmail), UPS, Zoho

Best Practices

1. Never commit credentials to git (use /credentials/ - gitignored)
2. Store in JSON format: {"api_key": "...", "notes": "..."}
3. Document IP allowlists in TOOLS.md
4. Test credential validity after rotation
5. Keep backup copy in secure location (Quan's 1Password)

Disaster Recovery

Critical Credentials Backup

• Location: Quan's 1Password vault
• Include: All /credentials/*.json files
• Frequency: After any credential change
• Test: Quarterly restore drill (verify credentials still work)

Service Failover

• VPS: Vultr snapshots (4 most recent, can restore in <30 min)
• APIs: No failover (single vendor per service)
• Container: Rebuild from git (all config in repo)

---

Last Updated: 2026-02-16
Next Review: Weekly (Infrastructure domain sync)