There are several different kinds of keys and tokens across Amplitude's products. This guide walks through what each is for, the basics you need to know about using them, and how to find them.
This table gives a brief overview of each kind of key.
| Product | Key | Public | Can it be rotated? |
|---|---|---|---|
| Analytics | Project API Key | ✅ | ❌ |
| Analytics | Project Secret Key | ❌ | Contact Support |
| Experiment | Deployment Key (client-side) | ✅ | ✅ |
| Experiment | Deployment Key (server-side) | ❌ | ✅ |
| Experiment | Management API Key | ❌ | ✅ |
| Data | API Token | ❌ | ✅ |
| Other | SCIM Key | ❌ | ✅ |
| Other | Org-level keys | ❌ | Contact Support |
Analytics keys are automatically created for each project, and can only be used to manipulate data within the project the key belongs to.
To view your project's API Key and Secret Key, see Authentication.
To ingest data from browsers and mobile applications, Amplitude must be able to identify which project the requests should go to. Amplitude does this with an API Key that's associated with a single project.
Files sent to a browser and code distributed as part of a mobile app are shared with end users, so the API Key can't be truly secret.
Because there's no way to keep the API Key secret, the scope of what the key can be used for is limited to the bare minimum needed to ingest data into Amplitude. This isn't unique to Amplitude: all services that support ingesting data from browsers or mobile apps have a similar key, though what they call it may vary.
API Keys are public. They aren't vulnerable to leaks or compromises.
Projects also have a Secret Key. These are used in conjunction with the project API Key to manage your account.
Keep the Secret Key private. If your Secret Key is compromised, contact Amplitude Support.
Use API Tokens to authenticate to Amplitude Data without logging in with your email address and a password. Tokens authorize applications to enjoy the same roles and permissions granted to you when you log in directly.
Keep your token secret. Your token has global permissions on your account.
You can create and revoke these as needed by navigating to Data > Settings > API Tokens.
When you create a deployment, Experiment creates a key for that deployment. Whether the key is public or private depends on whether the deployment is client-side or server-side.
These deployments run on a client device, such as a web browser or mobile app. The key associated with client deployments can be viewed publicly and should be used in client-side SDKs. These keys are prepended with client-. Because this key is already public, you don't have to worry about it being compromised.
These deployments run on a server you control, such as a web server or batch processing system. The key associated with server deployments should be kept secret and are for use in server-side SDKs. These keys are prepended with server-. If a server-side key is compromised, create a new deployment key, replace the old key with the new key on all flags and experiments, and delete the old key.
Manage your Deployment keys in Experiment > Deployments.
Management API keys are used to authenticate requests made to manage flags and experiments. These keys are different from the deployment keys used to fetch flag variants.
Keep your Management API key secret. If your key has been compromised, create a new key and delete the old key.
Create and manage these keys via the Management API link in the Experiment sidebar.
Some APIs require an org-level API Key and Secret Key. You must request these from Amplitude Support.
Keep org-level keys private. They have access to your entire Amplitude organization. If they have been compromised, contact Amplitude Support.
The SCIM key is used with the SCIM API. SCIM features are available in accounts with an Enterprise plan.
Keep your token secret. It has global user management permissions on your account. If your key has been compromised, you can rotate it yourself in Amplitude.
See Set up SCIM provisioning in Amplitude for more information.
Thanks for your feedback!
June 10th, 2024
Need help? Contact Support
Visit Amplitude.com
Have a look at the Amplitude Blog
Learn more at Amplitude Academy
© 2024 Amplitude, Inc. All rights reserved. Amplitude is a registered trademark of Amplitude, Inc.