Keys and Tokens
Amplitude products use several kinds of keys and tokens. This guide describes what each key is for, how to use it, and where to find it.
Keys overview
| Product | Key | Public | Can it be rotated? |
|---|---|---|---|
| Analytics | Project API Key | ✅ | ✅ |
| Analytics | Project Secret Key | ❌ | ✅ |
| Experiment | Deployment Key (client-side) | ✅ | ✅ |
| Experiment | Deployment Key (server-side) | ❌ | ✅ |
| Experiment | Management API Key | ❌ | ✅ |
| Data | API Token | ❌ | ✅ |
| Other | SCIM Key | ❌ | ✅ |
| Other | Org-level keys | ❌ | Contact Support |
Analytics keys
Amplitude creates Analytics keys automatically for each project. Each key can only manipulate data within the project it belongs to.
To view your project's API Key and Secret Key, refer to Authentication.
API Key
Amplitude uses an API Key to identify which project to send ingested data to. Each API Key is associated with a single project.
Browsers and mobile apps share their code with end users, so API Keys can't be truly secret. Because the API Key is public, its scope is limited to the minimum needed to ingest data into Amplitude. Other analytics services use a similar public key for browser and mobile ingestion.
API keys are public
API Keys are public. If an API Key is abused, revoke or rotate the key.
Secret Key
A Secret Key authenticates you to server-side APIs that read or modify project data. Projects can have multiple Secret Keys.
Secret keys are private
Keep Secret Keys private. If a Secret Key is compromised, delete the compromised key and generate a new one.
Data keys
Use API Tokens to authenticate to Amplitude Data without an email address and password. Tokens grant applications the same roles and permissions you have when you log in directly.
Data API tokens are private
Keep your token secret. The token has global permissions on your account.
Create and revoke API Tokens in Data > Settings > API Tokens.
Experiment keys
Deployment Key
When you create a deployment, Experiment creates a Deployment Key. Whether the key is public or private depends on whether the deployment is client-side or server-side.
Client-side deployment keys are public
Client-side deployments run on a client device, such as a web browser or mobile app. Use client-side Deployment Keys in client-side SDKs. These keys are prefixed with client-. Because the key is already public, compromise isn't a concern.
Server-side deployment keys are private
Server-side deployments run on a server you control, such as a web server or batch processing system. Keep server-side Deployment Keys secret and use them only in server-side SDKs. These keys are prefixed with server-. If a server-side key is compromised, create a new Deployment Key, replace the old key with the new key on all flags and experiments, and delete the old key.
Manage Deployment Keys in Experiment > Deployments.
Management API Key
Management API Keys authenticate requests that manage flags and experiments. Management API Keys differ from Deployment Keys, which fetch flag variants.
Management API keys are private
Keep your Management API Key secret. If the key is compromised, create a new key and delete the old key.
Create and manage Management API Keys through the Management API link in the Experiment sidebar.
Other keys
Org-level API Key
Some APIs require an org-level API Key and Secret Key. Request these from Amplitude Support.
Org-level keys are private
Keep org-level keys private. Org-level keys have access to your entire Amplitude organization. If an org-level key is compromised, contact Amplitude Support.
SCIM Key
The SCIM Key authenticates calls to the SCIM API. SCIM features are available in accounts with an Enterprise plan.
SCIM tokens are secret
Keep your SCIM Key secret. The SCIM Key has global user management permissions on your account. If the key is compromised, rotate it in Amplitude.
Refer to Set up SCIM provisioning in Amplitude for more information.
Was this helpful?