Authentication
How to authenticate calls to the StaySignals API.
Each StaySignals project uses two kinds of keys.
| Kind | Prefix | Where it lives | Purpose |
|---|---|---|---|
| Publishable | pk_<project>_... | Browser (via data-key on the SDK tag) | Identifies the project to the SDK. Safe to expose. |
| Secret | sk_<project>_... | Server only | Authenticates calls to POST /v1/risk. |
You can create multiple keys of each kind. Generate and manage them in the Dashboard under Project settings.
Authenticating API calls
Every request to POST /v1/risk must include an X-StaySignals-Key header with the project's secret key.
curl https://api.staysignals.com/v1/risk \
-H "X-StaySignals-Key: sk_<project>_abc123" \
-H "Content-Type: application/json" \
-d '{ ... }'Using a publishable key where a secret key is required returns 403 key_mode_mismatch. See Errors.
Environments
StaySignals does not have test mode keys or sandbox endpoints. Each project is its own isolated environment.
To separate development and production, create two projects — one for each — and use each project's keys in the corresponding environment. Projects are independent; data from one project never mixes with another.
Managing keys
Secret keys are shown once, at the moment you create them. The Dashboard does not reveal the value again afterwards — if you lose it, revoke the key and create a new one.
A project can hold multiple secret keys at the same time, which makes rotation zero-downtime:
- Create a new secret key in the Dashboard and copy its value.
- Deploy it to your server.
- Once traffic is using the new key, revoke the old one.
All active keys for a project are equivalent — any of them authenticates POST /v1/risk. Revoking a key takes effect immediately.