Partner Credentials Guide¶
This guide explains how to set up and manage partner-provided credentials (ext.*) for your Kiket extensions.
Overview¶
When your extension integrates with third-party services like Slack, Zoom, or Jira, you typically need OAuth app credentials. These partner credentials are:
- Provided by you, the extension developer
- Stored securely in Kiket's Secret Manager
- Used during OAuth flows when users install your extension
Credential Lifecycle¶
┌─────────────────────────────────────────────────────────────┐
│ 1. DEVELOP │
│ Declare credentials in manifest │
│ credentials.ext: [zoom_client_id, zoom_client_secret] │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 2. CONFIGURE │
│ Enter credentials in Publisher Dashboard │
│ /publisher/extensions/:id/credentials │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 3. PUBLISH │
│ Credentials validated before go-live │
│ Extension available in marketplace │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ 4. RUNTIME │
│ OAuth flows use your credentials │
│ User tokens stored as org.* / user.* │
└─────────────────────────────────────────────────────────────┘
Declaring Credentials¶
In your extension manifest, declare required credentials under credentials.ext:
model_version: "1.0"
extension:
id: dev.mycompany.zoom-integration
name: Zoom Integration
version: 1.0.0
credentials:
ext:
- key: zoom_client_id
label: Zoom OAuth Client ID
type: oauth_client_id
required: true
help_url: https://marketplace.zoom.us/docs/guides/build/oauth-app
- key: zoom_client_secret
label: Zoom OAuth Client Secret
type: oauth_client_secret
required: true
secret: true
Credential Properties¶
| Property | Required | Description |
|---|---|---|
key |
Yes | Unique identifier (used as ext.{key} in setup steps) |
label |
Yes | Human-readable name shown in UI |
type |
No | Hint for UI: oauth_client_id, oauth_client_secret, api_key, signing_secret |
required |
No | If true, publishing is blocked until configured |
secret |
No | If true, value is masked in UI |
description |
No | Additional help text |
help_url |
No | Link to setup documentation |
Configuring in Publisher Dashboard¶
After declaring credentials in your manifest:
- Navigate to Publisher Dashboard
- Select your extension
- Click Manage Credentials
- Enter each required credential value
- Save changes
Finding Your Credentials¶
Each third-party service has different steps to obtain OAuth credentials:
Slack: 1. Go to api.slack.com/apps 2. Create or select your app 3. Navigate to OAuth & Permissions 4. Copy Client ID and Client Secret
Zoom: 1. Go to marketplace.zoom.us 2. Create an OAuth app 3. Note the Client ID and Client Secret
GitHub: 1. Go to Settings > Developer settings > OAuth Apps 2. Create new OAuth App 3. Copy Client ID and generate Client Secret
Jira: 1. Go to developer.atlassian.com 2. Create an OAuth 2.0 app 3. Copy Client ID and Client Secret
Referencing Credentials¶
In your setup wizard, reference credentials using the ext. prefix:
setup:
- secrets:
title: Connect to Zoom
fields:
- key: zoom_connection
label: Zoom Account
type: oauth_token
obtain:
type: oauth2
provider: zoom
client_id: ext.zoom_client_id # Your credential
client_secret: ext.zoom_client_secret # Your credential
scopes: ["meeting:read", "meeting:write"]
store_as: org.zoom_access_token # User's token
When a user goes through the wizard:
1. Kiket retrieves ext.zoom_client_id and ext.zoom_client_secret from Secret Manager
2. Initiates OAuth flow with Zoom using your app credentials
3. User authorizes access
4. Kiket stores the resulting token as org.zoom_access_token
Security¶
Encryption¶
All credentials are: - Encrypted at rest using AES-256-GCM - Stored in secure secret management infrastructure - Never exposed in API responses or logs
Audit Trail¶
Every credential operation is logged and blockchain-anchored: - Creation, update, rotation, deletion - Who performed the action - Timestamp and source
View your audit trail in the Publisher Dashboard under Credentials > Audit Log.
Rotation¶
To rotate a credential: 1. Generate new credentials in the third-party service 2. Update the value in Publisher Dashboard 3. The old value is immediately replaced
Active user sessions using the old credentials may need to re-authenticate.
Publishing Requirements¶
Before publishing to the marketplace:
- All
required: truecredentials must be configured - Publishing will fail with a clear error message if credentials are missing
Error: Missing required partner credentials: Zoom OAuth Client ID, Zoom OAuth Client Secret.
Configure them in the Publisher Dashboard.
Best Practices¶
- Use Dedicated Apps: Create OAuth apps specifically for your Kiket extension
- Minimize Scopes: Request only the scopes your extension needs
- Document Setup: Include
help_urlfor each credential - Test Before Publishing: Verify OAuth flows work in sandbox
- Monitor Expiration: Some credentials expire; set reminders to rotate
Troubleshooting¶
| Issue | Solution |
|---|---|
| "Missing required partner credentials" | Configure credentials in Publisher Dashboard |
| OAuth flow fails | Verify redirect URI matches Kiket's OAuth callback |
| "Invalid client" error | Double-check Client ID and Secret values |
| Credentials not working after rotation | Clear browser cache; users may need to re-auth |
See Also¶
- Setup Wizard Guide - Building onboarding flows
- Secret Store Reference - Credential storage details
- Manifest Specification - Schema reference