Are you talking about downloadable products (software, videos, etc..), otherwise I have no idea what you are talking about.

Let's say I make a mobile app. The user must subscribe to it via a public key inside of their 3dcart admin panel. Once they subscribe to it, a callback URL processes the subscription and then 3dCart sends my server the following:

1) My public app key (which is freely available)
2) A unique private key (token key) specific to that store
3) The secure URL of the store (https://www.my-3d-store.com)
4) The action (either AUTHORIZE or REMOVE)
5) a timestamp

The user subscribed through their store control panel, and I receive all of the necessary data to connect and make calls to their store.

Now let's say the user opens my app. I must find a secure way to identify the user with the store in my database. The user has access to their secure URL but not their unique token key, only I have access to it. I can ask the user to enter their secure URL, but that means anyone can enter the secure URL (https://www.a-3d-store.com) into the app and if that store has subscribed to my app it will give the false user access to the store data.

My solution is to make the token key visible to the store who subscribed, they can put it into the app to verify their identity with my app.

There are alternative work arounds, but none of them are as secure as allowing the user to access the token key as a means of verifying the identity of the user with my app.