Conductor authenticates your API requests using your account’s API keys. If a request does not include a valid key, Conductor returns an invalid request error.

Secret and publishable keys

Every Conductor account has two API keys:

  1. Secret key: Use this key to authenticate requests to Conductor’s API from your server-side code. It is highly sensitive and should be deleted if leaked. Store this key securely in your server, such as in an environment variable or a credential management system. Do not store this key in Git, include it in client-side code, or expose it on a website.

  2. Publishable key: Use this key when creating an AuthSession, which generates the unique auth flow URL for your end-user. Unlike the secret key, the publishable key can be safely shared, stored in Git, or included in client-side code.