All Articles/Getting Started

Understanding API Keys and Security

Learn how API keys work and how to keep them secure.

How API Keys Work

Every project has one or more API keys. The SDK and REST API use this key to authenticate log ingestion. Include it in the X-API-Key header (REST API) or pass it to init() (SDKs).

Security Best Practices

Never commit API keys to version control. Use environment variables instead:

Terminal
export LOGNITOR_API_KEY=your-api-key

In your application:

JavaScript
Lognitor.init({
  apiKey: process.env.LOGNITOR_API_KEY,
  service: 'my-app',
});

Rotate keys if compromised. Go to Projects → your project → API Keys, generate a new key, update your application, then revoke the old key.

Use separate keys per environment. Create different projects (or keys) for development, staging, and production. This prevents test data from polluting production dashboards.

Key in client-side code

If you use the Browser SDK, the API key will be visible in your frontend JavaScript. This is expected — browser API keys are scoped to log ingestion only and cannot read or delete data. Use server-side keys for sensitive operations.

Key Permissions

API keys can only write data (send logs, register releases, ping heartbeats). They cannot read, search, or delete logs. Dashboard access requires a user account with email/password authentication.