0Bit Documentation
0Pools

Store server-side keys

Keep secret credentials and webhook secrets out of browsers, mobile apps, logs, tickets, and static builds.

0Bit integrations use different credential classes for server calls, hosted/browser surfaces, and webhook verification. Only publishable keys and documented session-scoped browser values belong in client code.

Secret keys are backend-only

Never send secret keys, webhook secrets, partner secrets, or internal service credentials to a browser, mobile app, public repository, analytics event, support ticket, or customer-visible error.

Credential boundary

Credential classes

ValueWhere it belongsWhat it does
Secret API keyServer runtime or secret manager.Authenticates server-side 0Bit product API calls.
Webhook secretServer runtime or secret manager.Verifies signed webhook events.
Publishable keyBrowser or mobile client.Identifies the partner for browser-safe embed bootstrap.
Client secretBrowser or mobile client for one session.Opens one hosted session, not a general API credential.

Server pattern

function getObitServerConfig() {
  const apiKey = process.env.OBIT_SECRET_KEY;
  const webhookSecret = process.env.OBIT_WEBHOOK_SECRET;

  if (!apiKey || !webhookSecret) {
    throw new Error('missing_obit_server_config');
  }

  return { apiKey, webhookSecret };
}

async function createBrowserSession(input: CheckoutInput) {
  const { apiKey } = getObitServerConfig();
  const session = await hostedSessions.create({ apiKey, input });

  return {
    publishableKey: process.env.NEXT_PUBLIC_OBIT_PUBLISHABLE_KEY,
    clientSecret: session.clientSecret,
  };
}

Rotation checklist

  1. Add the new key or secret to your secret manager.
  2. Deploy code that can accept both old and new webhook signatures if overlap is supported by your operating model.
  3. Move traffic to the new credential.
  4. Revoke the old credential after verification.
  5. Confirm no logs, build artifacts, or support tickets contain the old value.

Anti-patterns

Anti-patternRisk
Putting secret keys in NEXT_PUBLIC_*, VITE_*, or mobile build config.Anyone can extract and use them.
Logging Authorization headers.Logs become credentials.
Pasting webhook secrets into tickets.Support tools become secret stores.
Reusing one secret across sandbox and live.Environment mistakes become harder to detect.

Use browser-safe values

See exactly what can cross into the client.

Verify webhook signatures

Use webhook secrets only on your server.

Protect sensitive data

Keep credentials and customer data out of logs.

Build an idempotent event log

Record webhook events once, route workers safely, and make duplicate delivery harmless.

Use browser-safe values

Send only publishable keys, session-scoped client secrets, and display data to the browser or mobile client.

On this page

Credential boundaryCredential classesServer patternRotation checklistAnti-patternsRelated pages