> ## Documentation Index
> Fetch the complete documentation index at: https://docs.conductor.is/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys

> Authenticate every Conductor API request with secret or publishable keys.

Conductor authenticates every request with an **API key**. Keys are created and managed **per project** in the Dashboard.

If a request is sent without a valid key Conductor responds with `401 Unauthorized`.

## Key types

Each project owns two kinds of keys:

1. **Secret keys** – full-access credentials for server-to-server communication. Store them in environment variables or a secrets-manager and rotate them immediately if they are ever exposed.
2. **Publishable key** – a public identifier used when you [create an auth session](/api-ref/auth-sessions/create) to redirect an end-user into Conductor’s auth flow. It is safe to embed in client-side code or commit to your repository.

<Note>
  **How Conductor secures your keys**: Secret keys are generated as
  cryptographically signed JWTs (HS256). When you send a request Conductor
  validates the signature and looks up the embedded identifier in the database.
  The full plaintext token is <em>never</em> stored on our servers: we keep only
  a masked representation (for display) or an irreversible SHA-256 hash (for
  legacy keys). Even in the unlikely event of a database breach attackers would
  not obtain usable secret keys.
</Note>

### Key format

```text  theme={"system"}
sk_conductor_...   # secret key
pk_conductor_...   # publishable key
```

The prefix clearly indicates the key type and prevents accidentally mixing them up.

## Managing keys in the Dashboard

### Secret keys

* A project can have **multiple secret keys**. Use separate keys for staging, production, CI, etc.

* Click **Create secret key**, give it a memorable name, then copy the token. The **full value is shown only once** – after you close the dialog you will only see a masked version.

* Delete a secret key at any time. Requests signed with that key will start failing immediately.

### Publishable key

Every project automatically receives **one publishable key** when the project is created. It cannot be deleted but can be copied from the Dashboard whenever you need it.

## Authenticating API requests

Add the key to the `Authorization` header using the `Bearer` scheme:

```http  theme={"system"}
POST https://api.conductor.is/v1/auth-sessions
Authorization: Bearer sk_conductor_...
Content-Type: application/json

{ "endUser": { … } }
```

Always send **secret keys** from a trusted environment – never ship them in browser or mobile apps.

## Rotating secret keys

1. Create a **new** secret key and deploy it everywhere your application uses Conductor.
2. Verify that requests succeed with the new key.
3. Delete the **old** key.

Keeping both keys active during the transition avoids downtime.

***

### Troubleshooting

**`API_KEY_INVALID`** – Conductor could not validate the supplied key. Check that:

* You are sending the key exactly as it appears in the Dashboard (no extra whitespace).
* You are using a **secret key** for server-side requests and the **publishable key** only when the API reference explicitly calls for it.

If the error persists, generate a fresh secret key and try again.


Built with [Mintlify](https://mintlify.com).