API keys

# API keys API keys authenticate the SDK. They're org-scoped (not tied to a product), and you generate them on the **Developer → API keys** page. ![Generate a test API key](/docs/docs-assets/api-key-test.avif) ## Generating a key On the **Developer → API keys** page: 1. Pick the environment with the **Test | Live** tab strip. The list and the key you generate are scoped to the selected tab. 2. Click **Generate key** (top right) and confirm. The key is **revealed once**, right after creation. Copy it immediately into your secret manager (GCP Secret Manager, AWS Secrets Manager, 1Password, and so on). Afterwards only a masked form (the last few characters) is shown, you can't retrieve the full key again. :::note You can hold at most **2 active keys per environment**. Once you hit the limit the button reads "Limit reached", revoke an old key to generate a new one. Generating and revoking keys is **owner/admin** only; members see a read-only list. ::: ## Key shape ``` sk_test_… sk_live_… ``` The prefix encodes the environment and is part of the credential format. A test key only creates sessions against test configurations, a live key only against live ones, with no cross-environment access. Detecting `sk_live_` in commits is a useful pre-push hook. ## Using a key Hand it to the Enterprise SDK at initialization: ```ts import { SelfClient } from '@selfxyz/enterprise-sdk'; const self = new SelfClient({ apiKey: process.env.SELF_API_KEY! }); ``` The SDK uses it on every call to `sessions.create(...)` and `sessions.get(...)`. See the [SDK reference](/docs/self-enterprise/sdk/nodejs/). ## Revocation Revoke any key from the same **API keys** page. There's no undo, generate a new one if needed. The page lists your existing keys by their last few characters and when they were created. ## Security notes * Don't put keys in front-end code. They authorize session creation, which costs money. * Don't commit keys. Use environment variables and secret managers. * If a service's key leaks, you only have to rotate that one. ## Related * [SDK reference](/docs/self-enterprise/sdk/nodejs/). * [Test vs. live](/docs/self-enterprise/flows/test-vs-live/): environments are baked into the key prefix.

API keys authenticate the SDK. They’re org-scoped (not tied to a product), and you generate them on the Developer → API keys page.

Generate a test API key

Generating a key

On the Developer → API keys page:

Pick the environment with the Test | Live tab strip. The list and the key you generate are scoped to the selected tab.
Click Generate key (top right) and confirm.

The key is revealed once, right after creation. Copy it immediately into your secret manager (GCP Secret Manager, AWS Secrets Manager, 1Password, and so on). Afterwards only a masked form (the last few characters) is shown, you can’t retrieve the full key again.

Key shape

sk_test_…
sk_live_…

The prefix encodes the environment and is part of the credential format. A test key only creates sessions against test configurations, a live key only against live ones, with no cross-environment access. Detecting sk_live_ in commits is a useful pre-push hook.

Using a key

Hand it to the Enterprise SDK at initialization:

import { SelfClient } from '@selfxyz/enterprise-sdk';

const self = new SelfClient({ apiKey: process.env.SELF_API_KEY! });

The SDK uses it on every call to sessions.create(...) and sessions.get(...). See the SDK reference.

Revocation

Revoke any key from the same API keys page. There’s no undo, generate a new one if needed. The page lists your existing keys by their last few characters and when they were created.

Security notes

Don’t put keys in front-end code. They authorize session creation, which costs money.
Don’t commit keys. Use environment variables and secret managers.
If a service’s key leaks, you only have to rotate that one.

SDK reference.
Test vs. live: environments are baked into the key prefix.