KaizoCoreKaizoCore docs

API keys

The two-key model — one safe for your frontend, one that must stay on your backend.

Two keys, two trust levels

Every account has at least one key pair:

  • pk_live_... (public) — embedded in the collector script tag on your site. It's safe to expose in HTML/JS because the SDK signs requests using SHA256(pk_live_...) as the HMAC key, not the raw key itself — a client reading your page's source can already see pk_live_..., so nothing about this scheme depends on it being secret.
  • sk_live_... (secret) — used only server-side, to sign /v1/decide calls with the raw secret as the HMAC key. This must never reach a browser.

Why the distinction matters

Because pk_live_'s effective signing key is derived from a value that's inherently public (it's in your page's HTML), it cannot be used to forge requests as your sk_live_ identity — the two live in genuinely separate trust domains, not just separate-looking strings.

Managing keys

GET    /v1/keys
POST   /v1/keys        # creates a new pk_live_/sk_live_ pair
DELETE /v1/keys/{id}   # revoke

The full secret key is shown once, at creation — store it in your backend's secret manager immediately. If it's lost, revoke it and create a new pair; KaizoCore never stores it in a form it could show you again.

Rotating keys

Create a new pair, deploy it to both your frontend script tag and backend signing config, confirm traffic is flowing on the new pair (check the dashboard's Live Feed), then revoke the old one. There's no forced expiration — rotate on your own schedule.

On this page