Skip to main content

Secrets and rotation

SpendDaddy stores credentials and integration keys behind the app settings layer and never prints secrets.

What should never be exposed

Private keys
API tokens
Webhook URLs that include secrets
Public API full keys

What is stored

Apple Ads, RevenueCat, and App Store Connect credentials are stored in app secrets
Public API keys and webhook tokens are stored as one-way hashes in data rows
Full token text is shown only when generated

Rotation policy

Rotate RevenueCat webhook URL via Integrations > RevenueCat > rotate webhook.
Rotate first-party public API keys via POST /api/private/apps/{app_id}/first-party-key/rotate.
Re-run the relevant endpoint wiring in RevenueCat/app code after key rotation.

Operational rules

Keep .env and .secrets out of source control.
Use unique, environment-specific credentials for local, staging, and production.
Never paste secret values in shared logs or tickets.

What should never be exposed
What is stored
Rotation policy
Operational rules