Connector Authentication

Connectors use different authentication methods depending on their type.

Webhook Authentication

Each connector installation generates a unique token embedded in the webhook URL:

https://app.monetro.at/api/payment-import/{provider}/{token}

The token is a cryptographically random UUID, generated on installation and used to resolve the tenant on incoming webhooks.

Signature Verification

In addition to the token, webhooks verify the request signature:

Provider	Method
Stripe	`stripe.webhooks.constructEvent()` with `whsec_` secret
PayPal	CRC32-based HMAC verification
Mollie	API key fetch verification
Revolut	HMAC-SHA256 with timestamp validation

API Key Authentication

For connectors that call external APIs (like Google Workspace), credentials are stored encrypted (AES-256-GCM):

{
  "settingsSchema": [
    {
      "key": "clientSecret",
      "label": "OAuth Client Secret",
      "type": "password",
      "encrypted": true
    }
  ]
}

caution

Encrypted values are never returned in API responses. The API only returns secretSet: true or secretSet: false to indicate whether a secret has been configured.

Webhook Authentication​

Signature Verification​

API Key Authentication​

Webhook Authentication

Signature Verification

API Key Authentication