1
Never embed credentials in client code
Developer API Keys and internal service keys must never ship in a browser, mobile app, or any client-controlled binary. Always exchange through a backend you control. The frontend uses the identity provider JWTs only.
2
Use the smallest possible scope
A key with
read:data cannot mutate. A key with read:phi cannot trigger workflows. The smallest scope contains blast radius.3
Rotate every 90 days
The Console enforces rotation reminders. Old keys must be revoked, not retired in place.
4
Store secrets in a hardened secret store
AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault — never in source control, never in environment variables that get baked into images.
5
Verify webhook signatures
Every Medera webhook ships with
Medera-Signature: sha256=... (HMAC-SHA256). Webhooks without verified signatures must be discarded. Medera Voice inbound webhooks are verified separately by the vapi_integration HMAC validator.