Skip to content

Credentials & secrets

Four kinds of secret material exist in a MonetizeIt integration. Each has its own rotation story; none needs to be shared between them.

Created under Settings → API credentials (guide).

  • The secret is shown once, at creation. Store it in your secret manager; if it’s lost, Rotate Secret issues a new one — there is no way to read it back.
  • Grant each client the narrowest scopes that work (scope catalog) and use separate clients per system, so one leaked credential has a small blast radius and a clean kill switch: Disable or Delete the client to revoke it immediately.
  • Client secrets belong on servers only. A desktop or device build never carries one — the license-session model exists so it doesn’t have to.

Each subscription has an HMAC secret (minimum 32 bytes) used to sign every delivery.

  • Rotate from the portal (Settings → Webhooks) or POST /api/v1/webhooks/admin/subscriptions/{id}/secret.
  • Rotation has an overlap window: deliveries carry signatures under both the old and new secret until it closes, so a receiver that checks all candidate signatures drops nothing during the roll.
  • Rotations are recorded in the audit trail.

Licenses are RSA-signed JWTs.

  • Devices hold only the public key — pin it in the .NET SDK (fetch once from GET /api/v1/provision/admin/providers/license-signing-key). Nothing that ships to a customer machine can mint or alter a license.
  • The same key signs offline activation responses and usage receipts, so air-gapped devices verify artifacts with the key they already trust.
  • License tokens are bearer credentials for their session: don’t log them, and release the session (ReleaseSessionAsync / POST .../release) when done.
  • Tokens from the client-credentials grant are short-lived by design. Cache one and refresh on expiry (the SDK’s authentication providers do this); don’t request a fresh token per call.
  • Keep tokens out of logs, URLs and error reports — they’re Authorization header material only.