Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.medera.info/llms.txt

Use this file to discover all available pages before exploring further.

1

Never embed credentials in client code

Developer API Keys and internal service keys must never ship in a browser, mobile app, or any client-controlled binary. Always exchange through a backend you control. The frontend uses Clerk JWTs only.
2

Use the smallest possible scope

A key with read:data cannot mutate. A key with read:phi cannot trigger workflows. The smallest scope contains blast radius.
3

Rotate every 90 days

The Console enforces rotation reminders. Old keys must be revoked, not retired in place.
4

Store secrets in a hardened secret store

AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault — never in source control, never in environment variables that get baked into images.
5

Verify webhook signatures

Every Medera webhook ships with Medera-Signature: sha256=... (HMAC-SHA256). Webhooks without verified signatures must be discarded. Vapi inbound webhooks are verified separately by the vapi_integration HMAC validator.