Authentication

There are two credentials you need to configure before going live: an API key for authenticating outbound requests, and a webhook secret for verifying inbound events. Both are available in your dashboard under Settings.

API Key

Every request to the Mono-Parser API must include your API key in the x-api-key header. Your key is prefixed with mp_live_.

Request Header

http

x-api-key: mp_live_your_secret_key_here

Keep your API key secret. Never expose it in client-side code, mobile apps, or version control. If compromised, rotate it immediately from your dashboard. Your key grants full access to all your applicants and applications.

Webhook Secret

Every event we send to your webhook URL includes an x-mono-signature header — an HMAC-SHA256 signature of the raw request body, signed with your webhook secret. Verify this signature on every inbound event before processing it.

Your webhook secret is available in your dashboard under Settings. It is shown once on generation — store it as an environment variable. If you lose it, rotate from the dashboard to get a new one.