Security

Publishable keys and merchant ids can live in the browser. Signing secrets, secret keys, and webhook whsec_… values cannot. Protect portal access separately at Security.

Copy this page as a setup prompt for your coding assistant.

Where each credential belongs

CredentialOK in browserNever
ante_pk_* publishable keyYesn/a
ante_merch_* merchant idYesn/a
ante_sign_* signing secretNoClient, git, logs
ante_sk_* secret keyNoBrowser (API blocks Origin)
whsec_* webhook secretNoClient, public logs
group_access_tokenOrganizer link onlyIndexed or leaked in listings

Portal access

Merchant dashboard sign-in supports email OTP, Google, passkeys, and optional TOTP two-factor authentication. Passkeys and 2FA are configured at Security. Two-factor authentication (passkey or TOTP) is required before toggling live mode. Owners and admins who can rotate keys or switch modes should use the strongest option available.

Cart signing

Sign at click time on the server. If the cart changes after sign, throw away the old signature. Generate and rotate the signing secret under Developers. Full spec: Cart signing.

Webhooks

Read the raw body. Verify Ante-Signature with verifyWebhookSignature from @splitante/sdk/signing (constant-time). Reject timestamps older than 5 minutes. Do not fulfill on failed verification. Wrong secret for the URL type (whsec vs signing secret) is the most common production bug; see Webhooks.

API keys

Each environment (test or live) has one publishable and one secret key shown in Developers. Full key values are shown once at creation or when you click New publishable key / New secret key to rotate. Revoke superseded keys under Key management. Optional IP allowlist on secret keys for fixed egress. Never point sandbox keys at production order tables. Publishable keys cannot call GET /merchants/me or register webhooks; those need a secret key.

Transport

HTTPS only for API and webhooks. Webhook URLs must use valid public TLS. The hosted modal is an iframe on splitante.com; lock down frame-src in CSP to that host if you use a strict policy.

Cards and PCI

With the default modal, Stripe collects card data inside Ante's checkout UI. Your page does not touch PAN. You remain responsible for PCI on the rest of your stack.

Leak response

Rotate the signing secret and API keys on Developers. Revoke any exposed keys immediately. Review recent sessions and webhook deliveries. Email contact@plurelinc.com if you need help tracing abuse.

Webhooks · Privacy policy