Skip to main content
All API requests require authentication using API keys. shortkit uses two types of keys for different contexts.

API key types

Key TypePrefixUse CasePermissions
Secret keysk_live_ / sk_test_Server-side API callsFull access
Publishable keypk_live_ / pk_test_Client SDK initializationRead-only, limited
Never expose secret keys in client-side code, public repositories, or browser environments. Secret keys have full API access.

Using API keys

Server-side requests

Include your secret key in the Authorization header: 
curl https://api.shortkit.dev/v1/content \
  -H "Authorization: Bearer sk_live_your_secret_key"

SDK initialization

Use publishable keys when initializing client SDKs: 
shortkit.initialize(apiKey: "pk_live_your_publishable_key")

Environments

Each environment has separate API keys:
EnvironmentKey PrefixesPurpose
Productionsk_live_, pk_live_Live traffic, real data
Stagingsk_test_, pk_test_Testing, development
Data is isolated between environments. Test keys cannot access production data and vice versa.

Obtaining API keys

Admin Portal

  1. Go to Settings → API Keys
  2. View existing keys or create new ones
  3. Copy the key (shown only once for secret keys)

Key permissions

Secret keys have full access. Publishable keys are restricted to:
  • Fetching feed content (read-only)
  • Sending engagement events
  • Reading public configuration
Publishable keys cannot:
  • Create, update, or delete content
  • Access analytics data
  • Modify configuration
  • Manage webhooks

Key management

Rotating keys

To rotate a compromised or expired key:
  1. Go to Settings → API Keys
  2. Click Create New Key
  3. Update your application with the new key
  4. Delete the old key once migration is complete
Plan key rotations during low-traffic periods. Update all services using the key before deleting the old one.

Revoking keys

Immediately revoke compromised keys:
  1. Go to Settings → API Keys
  2. Find the compromised key
  3. Click Revoke
Revoked keys stop working immediately. Any requests using the key will receive a 401 Unauthorized response.

Key metadata

Add descriptions to track key usage: 
curl -X POST https://api.shortkit.dev/v1/api-keys \
  -H "Authorization: Bearer sk_live_your_secret_key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "secret",
    "description": "Backend service - production"
  }'

Authentication errors

StatusError CodeDescription
401UNAUTHORIZEDMissing or invalid API key
401KEY_REVOKEDAPI key has been revoked
403FORBIDDENKey lacks required permissions
403ENVIRONMENT_MISMATCHUsing test key on production endpoint

Error response example

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid API key provided"
  },
  "meta": {
    "requestId": "req_xyz789"
  }
}

Security best practices

Store keys in environment variables, not in code:
# .env file (never commit this)
SHORTKIT_SECRET_KEY=sk_live_your_secret_key

// Access in code
const apiKey = process.env.SHORTKIT_SECRET_KEY;
Create separate keys for different services. If one is compromised, impact is limited.
Review API key usage in Settings → API Keys → Usage. Look for unusual patterns that might indicate compromise.
Never use production keys during development. Use staging keys to avoid accidental data modification.
Rotate keys periodically (e.g., quarterly) as a security practice, not just when compromised.

SDK authentication

The SDKs handle authentication automatically once initialized. Additional options:

Organization context

For multi-tenant applications, specify organization context: 
shortkit.initialize({
  apiKey: 'pk_live_your_publishable_key',
  organizationId: 'org_abc123'  // Optional: explicit org context
});

User context

Associate requests with authenticated users: 
// After user logs in
shortkit.identifyUser({
  userId: 'user_123',
  traits: {
    plan: 'premium',
    interests: ['sports', 'music']
  }
});

Next steps

Error handling

Learn about error codes and handling.

API introduction

Overview of API design and conventions.