Authentication

Secret keys authenticate server-to-server calls. Never ship them to browsers, mobile apps, or public repositories.

• Use secret keys for /v1/jobs, project config reads, and server-managed beacons.
• Rotate keys in the dashboard if ownership or deployment boundaries change.
• Responses after creation must not reveal the full key again.

Publishable keys are browser-safe only when paired with allowed origins. Browser activation rejects mismatched origins before a job can be created.

• Configure every production origin in the dashboard.
• Use test keys for local and staging origins.
• Origin errors include request IDs and docs links for debugging.

Every JSON API response should include a request_id and an X-Request-Id header. Include that value when you contact support.