API keys

API keys let your own tools reach your workspace. There are two kinds, and the difference matters: one is a server-side secret, the other is safe to ship in your web page.

The two kinds of key

Secret key (gak_…)

Full-capability and server-side only. The CLI uses it to upload your catalog, and the MCP server uses it to authenticate. Keep it out of any client-side code.

Publishable key (pk_…)

Conversation-only and origin-bound, so it’s safe to embed in your page source — exactly what the chat widget uses. It can start a chat and nothing more.

gak_<env>_<32 base32 chars>   # secret — CLI / MCP, server-side only
pk_<test|live>_<32 base32 chars>  # publishable — embedded in your page

Creating a key

Keys are managed under Settings → API keys in the dashboard.

1. 1
   Open API keysGo to Settings → API keys and choose the environment you’re creating a key for.
2. 2
   Choose the kindCreate a secret key for the CLI or MCP, or a publishable key for the widget. Give it a name you’ll recognize later.
3. 3
   Copy it nowThe full key is shown exactly once. Copy it and store it somewhere safe before closing the dialog.

Keys are per environment

Every key belongs to one environment. A development key can’t touch production data and vice versa, which keeps your test traffic and live traffic cleanly apart.

Revoking a key

Revoke a key from the same page and it stops working immediately. Revoke right away if a key is ever exposed, then create a replacement. Revoking one key never affects any other.

Keeping keys safe

• Store secret keys in a secrets manager or environment variable — never in source control or front-end code.
• Publishable keys are made for the front end — they only start conversations and are bound to the origins you allow.
• Rotate keys periodically: create the new one, switch your tools over, then revoke the old one.
• Every key’s creation and revocation is recorded in your workspace’s audit log.

Next steps