Conductor authenticates your API requests using your account’s API keys. If a request does not include a valid key, Conductor returns an invalid request error.

Secret and publishable keys

Every Conductor accounts has two API keys:

  1. Secret key: Use this key to authenticate requests to Conductor’s API from your server-side code. It is sensitive and should be deleted if leaked. Store this key securely in your server, such as in an environment variable or credential management system. Do not expose this key on a website or in client-side code.

  2. Publishable key: Use this key when creating an AuthSession, which returns the auth flow URL to which you direct your end-user. The auth flow is a client-side web app that uses the publishable key to authenticate your end-user. This key can be safely shared and does not need to be kept secret.