FEATURES
API keys
secret_server keys for backend integrations and public_widget keys (pk_live_*) for browser embeds.
Overview
secret_server keys for backend integrations and public_widget keys (pk_live_*) for browser embeds.
Who should use this
Developers calling StartupCore APIs or embedding the widget.
Core concepts
public_widget: safe in HTML, bound to botId, resolves tenant via GSI. secret_server: Bearer + X-StartupCore-Api-Key-Id header. Optional workspaceId/environmentId binding.
Setup
POST /api-keys with keyType secret_server or public_widget + boundBotId for widget keys.
Required entitlement
api_keys
Required permissions
api_key.view (list), api_key.manage (create/rotate/revoke).
REST API
- POST /tenants/{tenantId}/api-keys
- { "name": "Site widget", "keyType": "public_widget", "boundBotId": "bot_123" }
- Response secret field contains pk_live_...
SDK (@startupcore/api-client)
- import startupCore from "@startupcore/api-client";
- const { apiKey, secret } = await startupCore.apiKeys.create(tenantId, {
- name: "Server", keyType: "secret_server",
- });
- const widget = await startupCore.apiKeys.create(tenantId, {
- name: "Widget", keyType: "public_widget", boundBotId: botId,
- });
React components
<ApiKeyTable />, <ApiKeyCreateDialog />, <ApiKeyRotateButton onClick={() => rotate(id)} />.
Widget
- <script src="https://cdn.startupcore.com/chatbot-widget.js"
- data-public-key="pk_live_xxx" data-bot-id="bot_123" async></script>
Security notes
Never put secret_server keys in frontend. Rotate on leak. Revoke unused keys.
Troubleshooting
401 — wrong secret or expired key. Widget 401 — botId must match boundBotId.