Skip to main content

API keys

API keys identify and authorize server-to-server calls for one app. Treat secret keys as sensitive credentials.

Switera API keys page with live and test key sections and masked key values
Keys are app-scoped. Always confirm the selected app before copying or rotating keys.

Key types

KeyWhere to useExposure
Publishable keyBrowser or client contexts when a public identifier is expected.Public identifier.
Secret keyTrusted backend services only.Sensitive secret.

Keys can exist for test and live environments. Keep those environments separate.

Copy a key safely

  1. Open the app.
  2. Open Admin > API Keys.
  3. Confirm whether you need the test or live section.
  4. Reveal the key only when you are ready to store it.
  5. Copy the key.
  6. Store it in the trusted backend environment.
  7. Hide the key again.
  8. Confirm the backend can call Switera successfully.

Never paste a secret key into frontend code, public tickets, analytics tools, screenshots, or chat.

Use a key from your backend

Example:

curl https://switera.com/api/v1/apps \
  -H "Authorization: Bearer $SWITERA_SECRET_KEY"

Store SWITERA_SECRET_KEY in your backend secret storage. Do not commit it to source control.

Rotate keys

Rotate keys when:

  • a key may be exposed
  • a team member with key access leaves
  • your policy requires scheduled rotation
  • you are moving from test to production credentials

Safe rotation pattern:

  1. Create or rotate the replacement key.
  2. Deploy the new key to the backend environment.
  3. Restart or reload the backend service.
  4. Confirm API calls work.
  5. Remove the old key from all systems.
  6. Check audit logs.

Common mistakes

  • Using a live key in a test environment.
  • Embedding a secret key in frontend code.
  • Posting keys in support tickets or chat.
  • Rotating a key before the backend has the replacement.
  • Treating a publishable key as proof of authorization.

Related pages: