API Keys
Understand the different keys used to authenticate with Notiflows APIs
API Keys
Each Notiflows project has a set of keys for authenticating with different APIs. You can find and manage them in Settings → API Keys.
Key Types
Public API Key (pk_*)
The public API key identifies your project. It is safe to include in client-side code — it cannot be used alone to perform sensitive actions.
- Prefix:
pk_ - Used by: User API (browser/mobile), Admin API (with secret key)
- Header:
x-notiflows-api-key
Secret Key (sk_*)
The secret key authenticates server-to-server requests to the Admin API. It must be kept confidential.
- Prefix:
sk_ - Used by: Admin API only
- Header:
x-notiflows-secret-key
Never expose your secret key in client-side code, public repositories, or browser network requests. Use environment variables or a secrets manager.
Application Signing Key (RSA)
The signing key is an RSA key pair used for client authentication. Your backend signs JWTs with the private key; Notiflows verifies them with the public key.
- Algorithm: RS256 (RSA 2048-bit)
- Private key: Shown only once during generation — store it securely
- Public key: Stored by Notiflows
Regenerating Keys
You can regenerate any key from the dashboard:
- Go to Settings → API Keys
- Click the regenerate button next to the key
Regenerating a key immediately invalidates the old one. Update your backend before or immediately after regenerating to avoid downtime. Regenerating the signing key invalidates all existing user tokens.
Next Steps
- Admin API Reference — Using API key + secret key for server-to-server requests
- User API Authentication — Using API key + user tokens for client-side requests
- Client Authentication — Set up JWT signing for the User API
- Allowed Origins — Restrict which domains can make browser requests