Loading docs...

👋 Need help? Chat with us!

Managing API Keys

Create, secure, and rotate your API keys. Best practices for production deployments.

Beginner5 min readUpdated 2024-12-28

API keys are how your systems authenticate with AdsMAA. Get them right, and you're secure. Get them wrong, and you're vulnerable.

This guide covers everything you need to know.

Understanding API Keys

What is an API Key?

An API key is a secret string that proves your request is authorized. It looks like this:

****

output

 sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 │  │    │ │  │    └── Unique identifier (32+ characters) │  └── Environment (live or test) └── Key type (sk = secret key) ****

Live vs Test Keys

Type	Prefix	Purpose
Live	sk_live_	Production tracking and real data
Test	sk_test_	Development and testing

Never use test keys in production. Test events don't forward to Meta/Google and don't affect your analytics.

Creating Keys

Via Dashboard

Go to Settings → Developer → API Keys
Click Create New Key
Enter a descriptive name (e.g., "Production Website Tracking")
Select permissions
Click Create
Copy the key immediately - it's shown only once!

Via API

****`bash POST /api/v1/auth/api-keys Authorization: Bearer {your_user_token} Content-Type: application/json

{ "name": "Production Tracking Key", "permissions": ["tracking"] } ****`

Response: ****

output

json {   "id": "key_abc123",   "key": "sk_live_a1b2c3d4...",  // Only shown once!   "name": "Production Tracking Key",   "permissions": ["tracking"],   "createdAt": "2024-12-28T10:00:00Z" } ****

Key Permissions

Not every key needs full access. We support granular permissions:

Available Permissions

Permission	What It Allows
tracking	Send events via SDK or API
analytics:read	Read analytics and reports
campaigns:read	View campaigns
campaigns:write	Create/edit campaigns
ai:read	View AI insights
ai:write	Execute AI actions

Recommended Key Configurations

Use Case	Permissions	Why
Website SDK	tracking only	Least privilege for client-side
Analytics dashboard	analytics:read	Read-only for reporting
Campaign automation	campaigns:write, ai:write	Needs to modify campaigns
Full integration	All permissions	Server-to-server only

Security Best Practices

Do

Use descriptive names - "Prod Website Tracking" not "key1"
Create separate keys for each integration
Store in environment variables - Never hardcode in source
Rotate every 90 days - Regular rotation limits exposure
Revoke immediately if compromised

Don't

Never commit to Git - Add to .gitignore
Never share between team members - Each person gets their own
Never use full permissions when limited would work
Never use live keys in test environments

Environment Variable Example

****`bash

.env (never commit this!)

ADSMAI_API_KEY=sk_live_a1b2c3d4... ****`

****

output

javascript // Your code const apiKey = process.env.ADSMAI_API_KEY; ****

Key Rotation

When to Rotate

Situation	Action
Every 90 days	Scheduled rotation
Team member leaves	Immediate rotation of keys they accessed
Suspected breach	Immediate rotation
Moving environments	Create new key for new environment

How to Rotate

Create new key with same permissions
Update your integration with new key
Verify new key works in production
Revoke old key once confirmed

Zero-downtime rotation: Update the new key in your environment, deploy, then revoke the old key. No interruption to tracking.

Revoking Keys

****

output

bash DELETE /api/v1/auth/api-keys/{keyId} Authorization: Bearer {your_user_token} ****

Or via dashboard: Settings → API Keys → Click the trash icon.

Recap

Here's what you learned:

API keys authenticate your requests - Keep them secret
Use minimum permissions - Tracking-only for website SDKs
Store in environment variables - Never in code
Rotate every 90 days - Or immediately if compromised
Keys can't be retrieved - Save them when created

Your API keys are the front door to your data. Treat them accordingly.

Next step: Install the JavaScript SDK using your new tracking key.

Key Takeaways

1Create separate keys for each integration
2Use minimum necessary permissions
3Keys are hashed - can't be retrieved after creation
4Rotate keys every 90 days for security

Frequently Asked Questions

What happens if my key is stolen?

Revoke it immediately from Settings → API Keys. Create a new key and update your integration. The revoked key stops working within 60 seconds.

Can I see the full key after creation?

No. For security, we only store a hash. The full key is shown once at creation. If you lose it, create a new key.

Is there a limit on API keys?

No hard limit, but we recommend keeping it manageable. One per integration or environment is typical.

Was this article helpful?

Ask a question

Continue Reading

integrations

Unified JavaScript SDK

One SDK for all platforms. Auto-loads Meta Pixel, GA4, and Clarity based on your connected integrations.

security

Team Roles & Permissions

Set up your team with the right access levels. From read-only stakeholders to full admin control.

Loading docs...

Managing API Keys

Create, secure, and rotate your API keys. Best practices for production deployments.

Beginner5 min readUpdated 2024-12-28

API keys are how your systems authenticate with AdsMAA. Get them right, and you're secure. Get them wrong, and you're vulnerable.

This guide covers everything you need to know.

Understanding API Keys

What is an API Key?

An API key is a secret string that proves your request is authorized. It looks like this:

****

output

 sk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 │  │    │ │  │    └── Unique identifier (32+ characters) │  └── Environment (live or test) └── Key type (sk = secret key) ****

Live vs Test Keys

Type	Prefix	Purpose
Live	sk_live_	Production tracking and real data
Test	sk_test_	Development and testing

Never use test keys in production. Test events don't forward to Meta/Google and don't affect your analytics.

Creating Keys

Via Dashboard

Go to Settings → Developer → API Keys
Click Create New Key
Enter a descriptive name (e.g., "Production Website Tracking")
Select permissions
Click Create
Copy the key immediately - it's shown only once!

Via API

****`bash POST /api/v1/auth/api-keys Authorization: Bearer {your_user_token} Content-Type: application/json

{ "name": "Production Tracking Key", "permissions": ["tracking"] } ****`

Response: ****

output

json {   "id": "key_abc123",   "key": "sk_live_a1b2c3d4...",  // Only shown once!   "name": "Production Tracking Key",   "permissions": ["tracking"],   "createdAt": "2024-12-28T10:00:00Z" } ****

Key Permissions

Not every key needs full access. We support granular permissions:

Available Permissions

Permission	What It Allows
tracking	Send events via SDK or API
analytics:read	Read analytics and reports
campaigns:read	View campaigns
campaigns:write	Create/edit campaigns
ai:read	View AI insights
ai:write	Execute AI actions

Recommended Key Configurations

Use Case	Permissions	Why
Website SDK	tracking only	Least privilege for client-side
Analytics dashboard	analytics:read	Read-only for reporting
Campaign automation	campaigns:write, ai:write	Needs to modify campaigns
Full integration	All permissions	Server-to-server only

Security Best Practices

Do

Use descriptive names - "Prod Website Tracking" not "key1"
Create separate keys for each integration
Store in environment variables - Never hardcode in source
Rotate every 90 days - Regular rotation limits exposure
Revoke immediately if compromised

Don't

Never commit to Git - Add to .gitignore
Never share between team members - Each person gets their own
Never use full permissions when limited would work
Never use live keys in test environments

Environment Variable Example

****`bash

.env (never commit this!)

ADSMAI_API_KEY=sk_live_a1b2c3d4... ****`

****

output

javascript // Your code const apiKey = process.env.ADSMAI_API_KEY; ****

Key Rotation

When to Rotate

Situation	Action
Every 90 days	Scheduled rotation
Team member leaves	Immediate rotation of keys they accessed
Suspected breach	Immediate rotation
Moving environments	Create new key for new environment

How to Rotate

Create new key with same permissions
Update your integration with new key
Verify new key works in production
Revoke old key once confirmed

Zero-downtime rotation: Update the new key in your environment, deploy, then revoke the old key. No interruption to tracking.

Revoking Keys

****

output

bash DELETE /api/v1/auth/api-keys/{keyId} Authorization: Bearer {your_user_token} ****

Or via dashboard: Settings → API Keys → Click the trash icon.

Recap

Here's what you learned:

API keys authenticate your requests - Keep them secret
Use minimum permissions - Tracking-only for website SDKs
Store in environment variables - Never in code
Rotate every 90 days - Or immediately if compromised
Keys can't be retrieved - Save them when created

Your API keys are the front door to your data. Treat them accordingly.

Next step: Install the JavaScript SDK using your new tracking key.

Key Takeaways

1Create separate keys for each integration
2Use minimum necessary permissions
3Keys are hashed - can't be retrieved after creation
4Rotate keys every 90 days for security

Frequently Asked Questions

What happens if my key is stolen?

Revoke it immediately from Settings → API Keys. Create a new key and update your integration. The revoked key stops working within 60 seconds.

Can I see the full key after creation?

No. For security, we only store a hash. The full key is shown once at creation. If you lose it, create a new key.

Is there a limit on API keys?

No hard limit, but we recommend keeping it manageable. One per integration or environment is typical.

Was this article helpful?

Ask a question

Continue Reading

integrations

Unified JavaScript SDK

One SDK for all platforms. Auto-loads Meta Pixel, GA4, and Clarity based on your connected integrations.

security

Team Roles & Permissions

Set up your team with the right access levels. From read-only stakeholders to full admin control.