API keys
The two-key model — one safe for your frontend, one that must stay on your backend.
Two keys, two trust levels
Every account has at least one key pair:
pk_live_...(public) — embedded in the collector script tag on your site. It's safe to expose in HTML/JS because the SDK signs requests usingSHA256(pk_live_...)as the HMAC key, not the raw key itself — a client reading your page's source can already seepk_live_..., so nothing about this scheme depends on it being secret.sk_live_...(secret) — used only server-side, to sign/v1/decidecalls with the raw secret as the HMAC key. This must never reach a browser.
Why the distinction matters
Because pk_live_'s effective signing key is derived from a value that's
inherently public (it's in your page's HTML), it cannot be used to forge
requests as your sk_live_ identity — the two live in genuinely separate
trust domains, not just separate-looking strings.
Managing keys
GET /v1/keys
POST /v1/keys # creates a new pk_live_/sk_live_ pair
DELETE /v1/keys/{id} # revokeThe full secret key is shown once, at creation — store it in your backend's secret manager immediately. If it's lost, revoke it and create a new pair; KaizoCore never stores it in a form it could show you again.
Rotating keys
Create a new pair, deploy it to both your frontend script tag and backend signing config, confirm traffic is flowing on the new pair (check the dashboard's Live Feed), then revoke the old one. There's no forced expiration — rotate on your own schedule.