Authenticate every Conductor API request with secret or publishable keys.
Conductor authenticates every request with an API key. Keys are created and managed per project in the Dashboard.If a request is sent without a valid key Conductor responds with 401 Unauthorized.
Secret keys – full-access credentials for server-to-server communication. Store them in environment variables or a secrets-manager and rotate them immediately if they are ever exposed.
Publishable key – a public identifier used when you create an auth session to redirect an end-user into Conductor’s auth flow. It is safe to embed in client-side code or commit to your repository.
How Conductor secures your keys: Secret keys are generated as
cryptographically signed JWTs (HS256). When you send a request Conductor
validates the signature and looks up the embedded identifier in the database.
The full plaintext token is never stored on our servers: we keep only
a masked representation (for display) or an irreversible SHA-256 hash (for
legacy keys). Even in the unlikely event of a database breach attackers would
not obtain usable secret keys.
A project can have multiple secret keys. Use separate keys for staging, production, CI, etc.
Click Create secret key, give it a memorable name, then copy the token. The full value is shown only once – after you close the dialog you will only see a masked version.
Delete a secret key at any time. Requests signed with that key will start failing immediately.
Every project automatically receives one publishable key when the project is created. It cannot be deleted but can be copied from the Dashboard whenever you need it.