Reviewedv1Platform contracts

Authentication and credential safety

Choose the correct user, device, or partner identity and keep secrets out of clients and logs.

Identity types

Authentication varies by surface: employee sessions for interactive UI, app tokens for registered devices, and server credentials or HMAC for partner integrations. These identities are not interchangeable.

  • User session: authorized employee actions.
  • Device/app token: a registered device within a business and branch.
  • Partner server credential: server-to-server integration.
  • HMAC signature: message-integrity proof when required by contract.

Secret storage

A secret key never belongs in a Flutter client or public JavaScript. Store it in a server environment or secret manager and rotate it on suspicion or according to policy.

Signing

For HMAC, define a canonical request, timestamp, nonce, and clock-skew window. Reject a replayed nonce or a signature outside that window.

Canonical shape
<METHOD>\n<PATH>\n<TIMESTAMP>\n<NONCE>\n<SHA256(BODY)>