Amplitude products use several kinds of keys and tokens. This guide describes what each key is for, how to use it, and where to find it. ## Keys overview | Product | Key | Public | Can it be rotated? | | ---------- | ---------------------------- | ------ | ------------------ | | Analytics | Project API Key | ✅ | ✅ | | Analytics | Project Secret Key | ❌ | ✅ | | Experiment | Deployment Key (client-side) | ✅ | ✅ | | Experiment | Deployment Key (server-side) | ❌ | ✅ | | Experiment | Management API Key | ❌ | ✅ | | Data | API Token | ❌ | ✅ | | Other | SCIM Key | ❌ | ✅ | | Other | Org-level keys | ❌ | Contact Support | ## Analytics keys Amplitude creates Analytics keys automatically for each project. Each key can only manipulate data within the project it belongs to. To view your project's API Key and Secret Key, refer to [Authentication](/docs/apis/authentication/). ### API Key Amplitude uses an API Key to identify which project to send ingested data to. Each API Key is associated with a single project. Browsers and mobile apps share their code with end users, so API Keys can't be truly secret. Because the API Key is public, its scope is limited to the minimum needed to ingest data into Amplitude. Other analytics services use a similar public key for browser and mobile ingestion. {% callout type="note" heading="API keys are public" %} API Keys are public. If an API Key is abused, revoke or rotate the key. {% /callout %} ### Secret Key A Secret Key authenticates you to server-side APIs that read or modify project data. Projects can have multiple Secret Keys. {% callout type="warning" heading="Secret keys are private" %} Keep Secret Keys private. If a Secret Key is compromised, delete the compromised key and generate a new one. {% /callout %} ## Data keys Use API Tokens to authenticate to Amplitude Data without an email address and password. Tokens grant applications the same roles and permissions you have when you log in directly. {% callout type="warning" heading="Data API tokens are private" %} Keep your token secret. The token has global permissions on your account. {% /callout %} Create and revoke API Tokens in **Data** > **Settings** > **API Tokens**. ## Experiment keys ### Deployment Key When you create a [deployment](/docs/feature-experiment/data-model), Experiment creates a Deployment Key. Whether the key is public or private depends on whether the deployment is client-side or server-side. {% callout type="tip" heading="Client-side deployment keys are public" %} Client-side deployments run on a client device, such as a web browser or mobile app. Use client-side Deployment Keys in client-side SDKs. These keys are prefixed with `client-`. Because the key is already public, compromise isn't a concern. {% /callout %} {% callout type="warning" heading="Server-side deployment keys are private" %} Server-side deployments run on a server you control, such as a web server or batch processing system. Keep server-side Deployment Keys secret and use them only in server-side SDKs. These keys are prefixed with `server-`. If a server-side key is compromised, create a new Deployment Key, replace the old key with the new key on all flags and experiments, and delete the old key. {% /callout %} Manage Deployment Keys in **Experiment** > **Deployments**. ### Management API Key Management API Keys authenticate requests that manage flags and experiments. Management API Keys differ from Deployment Keys, which fetch flag variants. {% callout type="warning" heading="Management API keys are private" %} Keep your Management API Key secret. If the key is compromised, create a new key and delete the old key. {% /callout %} Create and manage Management API Keys through the **Management API link** in the Experiment sidebar. ## Other keys ### Org-level API Key Some APIs require an org-level API Key and Secret Key. Request these from Amplitude Support. {% callout type="warning" heading="Org-level keys are private" %} Keep org-level keys private. Org-level keys have access to your entire Amplitude organization. If an org-level key is compromised, contact Amplitude Support. {% /callout %} ### SCIM Key The SCIM Key authenticates calls to the [SCIM API](/docs/apis/analytics/scim). SCIM features are available in accounts with an Enterprise plan. {% callout type="warning" heading="SCIM tokens are secret" %} Keep your SCIM Key secret. The SCIM Key has global user management permissions on your account. If the key is compromised, rotate it in Amplitude. {% /callout %} Refer to [Set up SCIM provisioning in Amplitude](/docs/admin/account-management/scim-provision) for more information.