Reviewedv1Platform contracts
Authentication and credential safety
Choose the correct user, device, or partner identity and keep secrets out of clients and logs.
Identity types
Authentication varies by surface: employee sessions for interactive UI, app tokens for registered devices, and server credentials or HMAC for partner integrations. These identities are not interchangeable.
- User session: authorized employee actions.
- Device/app token: a registered device within a business and branch.
- Partner server credential: server-to-server integration.
- HMAC signature: message-integrity proof when required by contract.
Secret storage
A secret key never belongs in a Flutter client or public JavaScript. Store it in a server environment or secret manager and rotate it on suspicion or according to policy.
Signing
For HMAC, define a canonical request, timestamp, nonce, and clock-skew window. Reject a replayed nonce or a signature outside that window.
<METHOD>\n<PATH>\n<TIMESTAMP>\n<NONCE>\n<SHA256(BODY)>