FEATURES

API keys

secret_server keys for backend integrations and public_widget keys (pk_live_*) for browser embeds.

Overview

secret_server keys for backend integrations and public_widget keys (pk_live_*) for browser embeds.

Who should use this

Developers calling StartupCore APIs or embedding the widget.

Core concepts

public_widget: safe in HTML, bound to botId, resolves tenant via GSI. secret_server: Bearer + X-StartupCore-Api-Key-Id header. Optional workspaceId/environmentId binding.

Setup

POST /api-keys with keyType secret_server or public_widget + boundBotId for widget keys.

Required entitlement

api_keys

Required permissions

api_key.view (list), api_key.manage (create/rotate/revoke).

REST API

  • POST /tenants/{tenantId}/api-keys
  • { "name": "Site widget", "keyType": "public_widget", "boundBotId": "bot_123" }
  • Response secret field contains pk_live_...

SDK (@startupcore/api-client)

  • import startupCore from "@startupcore/api-client";
  • const { apiKey, secret } = await startupCore.apiKeys.create(tenantId, {
  • name: "Server", keyType: "secret_server",
  • });
  • const widget = await startupCore.apiKeys.create(tenantId, {
  • name: "Widget", keyType: "public_widget", boundBotId: botId,
  • });

React components

<ApiKeyTable />, <ApiKeyCreateDialog />, <ApiKeyRotateButton onClick={() => rotate(id)} />.

Widget

  • <script src="https://cdn.startupcore.com/chatbot-widget.js"
  • data-public-key="pk_live_xxx" data-bot-id="bot_123" async></script>

Security notes

Never put secret_server keys in frontend. Rotate on leak. Revoke unused keys.

Troubleshooting

401 — wrong secret or expired key. Widget 401 — botId must match boundBotId.