401 Unauthorized
.
Key types
Each project owns two kinds of keys:- Secret keys – full-access credentials for server-to-server communication. Store them in environment variables or a secrets-manager and rotate them immediately if they are ever exposed.
- Publishable key – a public identifier used when you create an auth session to redirect an end-user into Conductor’s auth flow. It is safe to embed in client-side code or commit to your repository.
How Conductor secures your keys: Secret keys are generated as
cryptographically signed JWTs (HS256). When you send a request Conductor
validates the signature and looks up the embedded identifier in the database.
The full plaintext token is never stored on our servers: we keep only
a masked representation (for display) or an irreversible SHA-256 hash (for
legacy keys). Even in the unlikely event of a database breach attackers would
not obtain usable secret keys.
Key format
Managing keys in the Dashboard
Secret keys
- A project can have multiple secret keys. Use separate keys for staging, production, CI, etc.
- Click Create secret key, give it a memorable name, then copy the token. The full value is shown only once – after you close the dialog you will only see a masked version.
- Delete a secret key at any time. Requests signed with that key will start failing immediately.
Publishable key
Every project automatically receives one publishable key when the project is created. It cannot be deleted but can be copied from the Dashboard whenever you need it.Authenticating API requests
Add the key to theAuthorization
header using the Bearer
scheme:
Rotating secret keys
- Create a new secret key and deploy it everywhere your application uses Conductor.
- Verify that requests succeed with the new key.
- Delete the old key.
Troubleshooting
API_KEY_INVALID
– Conductor could not validate the supplied key. Check that:
- You are sending the key exactly as it appears in the Dashboard (no extra whitespace).
- You are using a secret key for server-side requests and the publishable key only when the API reference explicitly calls for it.