Conductor authenticates every request with an API key. Keys are created and managed per project in the Dashboard.

If a request is sent without a valid key Conductor responds with 401 Unauthorized.

Key types

Each project owns two kinds of keys:

  1. Secret keys – full-access credentials for server-to-server communication. Store them in environment variables or a secrets-manager and rotate them immediately if they are ever exposed.
  2. Publishable key – a public identifier used when you create an auth session to redirect an end-user into Conductor’s auth flow. It is safe to embed in client-side code or commit to your repository.

How Conductor secures your keys: Secret keys are generated as cryptographically signed JWTs (HS256). When you send a request Conductor validates the signature and looks up the embedded identifier in the database. The full plaintext token is never stored on our servers: we keep only a masked representation (for display) or an irreversible SHA-256 hash (for legacy keys). Even in the unlikely event of a database breach attackers would not obtain usable secret keys.

Key format

sk_conductor_…   # secret key
pk_conductor_…   # publishable key

The prefix clearly indicates the key type and prevents accidentally mixing them up.

Managing keys in the Dashboard

Secret keys

  • A project can have multiple secret keys. Use separate keys for staging, production, CI, etc.

  • Click Create secret key, give it a memorable name, then copy the token. The full value is shown only once – after you close the dialog you will only see a masked version.

  • Delete a secret key at any time. Requests signed with that key will start failing immediately.

Publishable key

Every project automatically receives one publishable key when the project is created. It cannot be deleted but can be copied from the Dashboard whenever you need it.

Authenticating API requests

Add the key to the Authorization header using the Bearer scheme:

POST https://api.conductor.is/v1/auth-sessions
Authorization: Bearer sk_conductor_xxx…
Content-Type: application/json

{ "endUser": {  } }

Always send secret keys from a trusted environment – never ship them in browser or mobile apps.

Rotating secret keys

  1. Create a new secret key and deploy it everywhere your application uses Conductor.
  2. Verify that requests succeed with the new key.
  3. Delete the old key.

Keeping both keys active during the transition avoids downtime.

Troubleshooting

API_KEY_INVALID – Conductor could not validate the supplied key. Check that:

  • You are sending the key exactly as it appears in the Dashboard (no extra whitespace).
  • You are using a secret key for server-side requests and the publishable key only when the API reference explicitly calls for it.

If the error persists, generate a fresh secret key and try again.