document authentication best practices

content/en/Integrations/IntegrationBuilder/how-to-guides.md

@@ -70,3 +70,18 @@ Within this drawer, the outputs from the actions and triggers within your recipe
 You can simply drag-and-drop the data pills from the drawer into action input fields as desired.
 
 ![Data pill mapping](/integrations/integration_builder/how_to_guides/data_pill_mapping.png "Data pill mapping")
+
+## Authentication best practices
+
+Integration Builder establishes connections to other apps using the app's authorization/authentication API.  The available methods can vary, but usually use one of the following:  
+
+* OAuth 2.0
+* OAuth 1.0 (and variations)
+* Basic authentication (username and password)
+* API key or secret
+
+As part of this step, you provide Cobalt with the permission to access data from the app. The permissions granted to Cobalt usually correspond with those of the user authorizing the app.  As such, when creating connections, we recommend:
+
+* Creating a dedicated app user for Cobalt ensures that recipes aren't dependent on the account of a human user. If someone leaves the company, recipes will continue to run. Additionally, it will allow you to tailor the permissions that your Cobalt recipe has to your app, thereby reducing security risk.
+* When developing and testing recipes, we recommend using sandbox (or non-production) credentials for your connections to ensure that live data isn’t affected when switching environments. 
+* Please note:  When setting up a connection, all users in your Cobalt Org will be able to use that connection and access any data. Be sure to use service accounts and limit permissions.