When your partner record is created in our admin panel, we issue the
following. Some are safe to log; one is secret.
| Credential | Used for | Visibility |
|---|
partner_id (UUID) | Identifies your account in admin views. | OK to log. |
slug | Sent as x-partner-slug on every /integrations/* call. | OK to log. |
| HMAC secret | Signs every /integrations/* request and verifies every webhook we send. | Secret. Store encrypted. Shown once at creation; rotate via the admin UI. |
jwtIssuer | The iss claim our verifier expects on your JWTs. | OK to log. |
jwtAudience | Optional. If set, our verifier requires it in aud. | OK to log. |
jwksUrl or jwtPublicKey | How we fetch your JWT verification key. JWKS URL is recommended so you can rotate without telling us. | OK to log. |
webhookUrl | Where we POST event notifications. HTTPS required in production. Private / loopback URLs are refused at dispatch time as an SSRF guard. | OK to log. |
scopeMode | ALL (default) or ALLOWLIST. When ALLOWLIST, your users only see merchants explicitly linked to your partner record (plus optionally whole categories). | OK to log. |
displayName and logoPath | Brand block surfaced by GET /me so the webview can render your logo instead of ours. | OK to log. |
HMAC secret rotation. From the admin UI you can issue a new secret
while keeping the old one active for a grace window. During rotation, our
verifier accepts multiple v1= entries — sign requests with both old and
new keys until you’ve finished the cutover.
hmacSecret is dual-purpose. The same secret signs your inbound
/integrations/* requests and our outbound webhooks to your
webhookUrl. There is no second “webhook secret” to manage — rotate the
HMAC secret and both directions roll over together.