API Keys

Aero2 uses API keys to identify and authenticate requests to your application. Each application has two types of keys.

Key Types

Publishable Keys

• Prefix: pk_live_
• Purpose: Identify your application in frontend code
• Security: Safe to include in client-side JavaScript, mobile apps, and public repositories
• What they can do: Initiate authentication flows, identify which application a request is for
• What they cannot do: Access user data, manage settings, or perform admin operations

Secret Keys

• Prefix: sk_live_
• Purpose: Authenticate server-side API requests
• Security: Must never be exposed in client-side code, public repositories, or browser network requests
• What they can do: Full API access including user management, role management, and all admin operations

Key Management

Listing keys

View all active keys for your application in the dashboard or via the API.

Creating keys

Generate additional keys when you need separate keys for different environments or services.

Revoking keys

Revoke a key immediately if it is compromised. Revoked keys stop working instantly.

Rotating keys

When you rotate a key, Aero2 generates a new key and provides a 24-hour grace period during which the old key continues to work. This gives you time to update your application without downtime.

Best Practices

• Store secret keys in environment variables — Never hardcode them in your application source code.
• Rotate keys regularly — Periodic rotation limits the impact of a potential leak.
• Use different keys per environment — Use separate applications (and therefore separate keys) for development, staging, and production.
• Monitor key usage — Review audit logs for unexpected API activity that could indicate a compromised key.
• Revoke immediately if compromised — If a secret key is accidentally exposed, revoke it right away and rotate to a new one.