Secure Conversion Tracking for Multi-Tenant SaaS

In multi-tenant SaaS, shared webhook secrets create avoidable risk. If customers must hand over payment-provider credentials, trust drops and onboarding friction rises immediately.

A safer pattern is tenant-side verification plus normalized conversion forwarding. Each tenant verifies provider signatures in their own backend, then sends a minimal conversion payload to your app.

Use org-scoped API keys with hash storage, one-time secret reveal, and immediate revocation on rotation. This gives each tenant isolated credentials and a clear blast-radius boundary.

Require a stable external event id for idempotency. Handle duplicates deterministically so retries remain safe under network errors. This prevents double commissions and simplifies audit trails.

The payload should be intentionally small: amount in cents, currency, referral code, provider event id, and optional conversion timestamp. Everything else can stay in the tenant system.

This model keeps sensitive billing logic where it belongs while preserving the attribution and payout workflows founders need. Security improves, and adoption usually improves with it.