Credentials & secrets
Four kinds of secret material exist in a MonetizeIt integration. Each has its own rotation story; none needs to be shared between them.
API client secrets
Section titled “API client secrets”Created under Settings → API credentials (guide).
- The secret is shown once, at creation. Store it in your secret manager; if it’s lost, Rotate Secret issues a new one — there is no way to read it back.
- Grant each client the narrowest scopes that work (scope catalog) and use separate clients per system, so one leaked credential has a small blast radius and a clean kill switch: Disable or Delete the client to revoke it immediately.
- Client secrets belong on servers only. A desktop or device build never carries one — the license-session model exists so it doesn’t have to.
Webhook signing secrets
Section titled “Webhook signing secrets”Each subscription has an HMAC secret (minimum 32 bytes) used to sign every delivery.
- Rotate from the portal (Settings → Webhooks) or
POST /api/v1/webhooks/admin/subscriptions/{id}/secret. - Rotation has an overlap window: deliveries carry signatures under both the old and new secret until it closes, so a receiver that checks all candidate signatures drops nothing during the roll.
- Rotations are recorded in the audit trail.
License tokens and the signing key
Section titled “License tokens and the signing key”Licenses are RSA-signed JWTs.
- Devices hold only the public key — pin it in the
.NET SDK (fetch once from
GET /api/v1/provision/admin/providers/license-signing-key). Nothing that ships to a customer machine can mint or alter a license. - The same key signs offline activation responses and usage receipts, so air-gapped devices verify artifacts with the key they already trust.
- License tokens are bearer credentials for their session: don’t log them, and
release the session (
ReleaseSessionAsync/POST .../release) when done.
Access tokens
Section titled “Access tokens”- Tokens from the client-credentials grant are short-lived by design. Cache one and refresh on expiry (the SDK’s authentication providers do this); don’t request a fresh token per call.
- Keep tokens out of logs, URLs and error reports — they’re
Authorizationheader material only.