RevenueCat authenticates requests from the REST API and the Purchases SDK using your app's API keys. All requests must include a valid API key. There are also two types of API keys: public and secret.
- Public API keys (also known as App specific keys in the dashboard) are meant to make non-potent changes to subscribers, and must be used to configure the Purchases SDK. Each app under a project is automatically provided with a public API key.
- Secret API keys, prefixed
sk_, should be kept confidential and only stored on your own servers. Your secret API keys can perform restricted API requests such as deleting subscribers and granting promotional access. Secret API keys are project-wide and can be created and revoked by project Admins. Please note: creating purchases via the REST API requires using a public API key, not a secret API key.
Legacy public API keys will continue to be supported
Public API keys generated prior to the launch of RevenueCat's project system will continue to work as before, but we recommend using the new App specific keys generated for your existing project.
You can find the API keys for your app under the API Keys tab of your project settings in the dashboard.
Public API keys will be listed under the section App specific keys. Secret API keys can be created by selecting the + New button in the top right, and will be listed under the section Private API keys.
You can also find the public API key in your app settings by selecting your app from Project Settings > Apps.
If you cannot see your API keys anywhere in the dashboard, it may mean you do not have access to them. Contact the project's owner and make sure you are added as an Admin.
Only configure the Purchases SDK with your public API key
Never embed secret API keys in your app or website.
Secret API keys can be used to make any API request on behalf of your RevenueCat account, such as granting entitlement access and deleting subscribers for your app. You should only create secret API keys if you need to use them and should ensure they are kept out of any publicly accessible areas such as GitHub, client-side code, and so forth.
You can create as many secret API keys as you need, and they can be revoked at any time. When a secret API key is revoked, it's invalidated immediately and can no longer make any requests.
- Get your products ready to purchase by configuring them in RevenueCat
Updated 12 months ago