2 min read
Protect the credential
The client_secret is the keys to the partner ring. Keep it server-side only, in a secrets manager or environment variable — never in a repo, a browser bundle or a mobile app. Scope every token to only what it uses (least privilege), so a leak is bounded, and rotate on a schedule.
Verify what comes in
Never trust an unverified webhook — recompute its HMAC signature over the raw body in constant time before acting. Reject on mismatch. This is the single most important control on the receiving side, because a webhook drives real state in your system.
Transport and hygiene
Use TLS for every call — the API is HTTPS-only. Do not log tokens or secrets; redact them in error reporting. Prefer local JWKS verification for throughput but introspect where instant revocation matters. Run one project per workload for isolation.
Frequently asked questions
Where should the client secret live?
In a server-side secrets manager or environment variable, never in client code, a browser bundle, a mobile app or version control. If it ever leaks, rotate it immediately.
What is the highest-value control on the webhook side?
Signature verification. Recompute the HMAC over the raw body in constant time and reject on mismatch before doing anything — an unverified webhook could be forged and would drive real state changes.
Related reading

Scopes and least privilege on partner/v1
Request only the scopes your integration actually uses. A credential scoped to applications:write cannot read…
Read →
Webhooks and event delivery
Credicorp pushes events — decision made, payment settled, document signed — to your registered URL as signed…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.