Metronome integration security guidelines
Metronome provides SaaS-based billing infrastructure that helps software companies launch, iterate, and scale their usage-based business models. Metronome’s service is built based on 3 fundamental principles:
- Principle of least privilege: Every actor in Metronome has access to no data and the ability to take no actions until that access has been explicitly granted.
- Zero trust architecture
- No access granted via long lived credentials or configuration
Recommendations for securely integrating with Metronome
- Authentication: Metronome supports SSO with the SAML 2.0 protocol, both for service provider and identity provider initiated authentication. We strongly recommend that SSO is configured and that multi-factor authentication (MFA) is enabled at the SSO identity provider level (Okta) when accessing Metronome.
- Authorization: All calls to the Metronome API require an authorization token. You can create a token and give it a friendly name in the Metronome dashboard.
- Metronome strongly recommends that API tokens are stored in a Secrets Manager that supports programmatic access.
- Metronome suggests that customers rotate API tokens based on their internal security policy. We typically recommend that customers rotate API tokens once a year or after any security incident.
- End-user data: User accounts in Metronome are associated with emails, but we do not require or store additional personally identifiable information (PII). Metronome also requires some pricing and packaging inputs to generate invoicing and cost data. Customer information can be obfuscated using ingest aliases.