API Keys
Programmatic access to SigSentry — three explicit key types, each minted from its own dashboard page
API keys authenticate programmatic access to SigSentry: CI jobs, the SDK, custom integrations, and any server-to-server traffic that doesn't go through the dashboard.
SigSentry has three explicit key types, each with a distinct prefix, scope, and use case:
| Prefix | Type | Scope | Created from | Use in |
|---|---|---|---|---|
ss_pub_* | Public | Project (immutable) | Project → SDK Keys | SDK, browser, mobile, embed |
ss_secret_* | Secret | Project (immutable) | Project → API Keys | Server-side, single-project automation |
ss_org_* | Secret | Organization (tenant-wide) | Organization → API Keys | Server-side, cross-project automation |
The page you mint from decides the type — there's no "what kind of key?" picker. The prefix is structural: it determines what the key can do and which endpoints accept it.
If you only need to know "how do I authenticate a request" rather than how to manage keys, see Authentication.
In this section
Creating keys
The three creation flows, what the fields mean, and how to store the value safely.
Key permissions
The permission list, how it maps to API endpoints, and the locked set for ss_pub_* keys.
Revoking keys
Stop a key immediately, rotate cleanly, and respond to a leaked credential.
Picking a key type
| Use this | When |
|---|---|
ss_pub_* (SDK key) | Anything client-side — the React SDK, a <script> embed, a mobile app. Permissions are locked to running and reading analyses, so a leak is bounded. |
ss_secret_* (project API key) | Server code that only ever touches one project — a single CI pipeline, one deployment's logging hook, a webhook handler. |
ss_org_* (org API key) | Cross-project automation — Terraform that provisions projects, an internal control plane that aggregates usage, a tool that lists all projects. |
When in doubt between ss_secret_* and ss_org_*, prefer
ss_secret_*. Smaller scope makes leaks cheaper and audits easier.
What never changes
- The full key is shown once at creation. After dismissing the modal you can't retrieve it — only the prefix.
- The hash is HMAC-SHA256 over the raw key — SigSentry can't recover your key, only verify it.
- Revocation is immediate and permanent.
- Last-used timestamps let you spot keys that aren't in use and revoke them safely.