Security
Publishable keys and merchant ids can live in the browser. Signing secrets, secret keys, and webhook whsec_… values cannot. Protect portal access separately at Security.
Copy this page as a setup prompt for your coding assistant.
Where each credential belongs
| Credential | OK in browser | Never |
|---|---|---|
| ante_pk_* publishable key | Yes | n/a |
| ante_merch_* merchant id | Yes | n/a |
| ante_sign_* signing secret | No | Client, git, logs |
| ante_sk_* secret key | No | Browser (API blocks Origin) |
| whsec_* webhook secret | No | Client, public logs |
| group_access_token | Organizer link only | Indexed or leaked in listings |
Portal access
Merchant dashboard sign-in supports email OTP, Google, passkeys, and optional TOTP two-factor authentication. Passkeys and 2FA are configured at Security. Two-factor authentication (passkey or TOTP) is required before toggling live mode. Owners and admins who can rotate keys or switch modes should use the strongest option available.
Cart signing
Sign at click time on the server. If the cart changes after sign, throw away the old signature. Generate and rotate the signing secret under Developers. Full spec: Cart signing.
Webhooks
Read the raw body. Verify Ante-Signature with verifyWebhookSignature from @splitante/sdk/signing (constant-time). Reject timestamps older than 5 minutes. Do not fulfill on failed verification. Wrong secret for the URL type (whsec vs signing secret) is the most common production bug; see Webhooks.
API keys
Each environment (test or live) has one publishable and one secret key shown in Developers. Full key values are shown once at creation or when you click New publishable key / New secret key to rotate. Revoke superseded keys under Key management. Optional IP allowlist on secret keys for fixed egress. Never point sandbox keys at production order tables. Publishable keys cannot call GET /merchants/me or register webhooks; those need a secret key.
Transport
HTTPS only for API and webhooks. Webhook URLs must use valid public TLS. The hosted modal is an iframe on splitante.com; lock down frame-src in CSP to that host if you use a strict policy.
Cards and PCI
With the default modal, Stripe collects card data inside Ante's checkout UI. Your page does not touch PAN. You remain responsible for PCI on the rest of your stack.
Leak response
Rotate the signing secret and API keys on Developers. Revoke any exposed keys immediately. Review recent sessions and webhook deliveries. Email contact@plurelinc.com if you need help tracing abuse.