Skip to main content
Onboarding is a two-way exchange. Some values we generate and issue to you; others you provide to us so we can verify your tokens and reach your systems. The Provided by column below says exactly who owns each value.
Rule of thumb. We issue your identity (partner_id, slug) and the shared HMAC secret, and we set scopeMode. You provide everything we need to trust your tokens (jwtIssuer + jwksUrl/jwtPublicKey), to reach you (webhookUrl), and your brand (displayName, logo). Your JWT private signing key never leaves your backend — you never send it to us.
HMAC secret rotation. From the admin UI you can issue a new secret while keeping the old one active for a grace window. During rotation, our verifier accepts multiple v1= entries — sign requests with both old and new keys until you’ve finished the cutover.
hmacSecret is dual-purpose. The same secret signs your inbound /integrations/* requests and our outbound webhooks to your webhookUrl. There is no second “webhook secret” to manage — rotate the HMAC secret and both directions roll over together.