API keys are account-level secrets used for server-side workflows such as generating signed embed payloads.
Creating an API key
Go to Settings > API Keys and create a key with a clear name or description. The secret key is shown only once when it is created.
Store the secret in a secure server-side environment such as a secrets manager, environment variable, or backend configuration system.
Using an API key
Use API keys on your server to sign embed data. The browser should receive only the final signed payload or URL, not the API key.
Revoking an API key
Revoke an API key when it is no longer needed, may have been exposed, or should no longer be able to sign embeds. Revocation cannot be undone.
Best practices
- Use descriptive names.
- Keep keys out of client-side code.
- Rotate keys when team access changes.
- Revoke unused keys.
- Use separate keys for different environments or applications when possible.