Common Pitfalls
Learn about common mistakes when using API keys and how to avoid them. Understand environment confusion, key rotation impact, and security best practices.
Which Key Do I Use Where?
| Use Case | Key Type | Safe Client-Side? | Where to Use |
|---|---|---|---|
| Server API calls | Secret key | No | Backend/server only |
| Server-to-server requests | Secret key | No | Backend/server only |
| Backend service operations | Secret key | No | Backend/server only |
| SDK initialization | N/A | Yes | Client-side (uses bearer tokens, not API keys) |
Do NOT embed secret keys in client apps (mobile apps, web browsers, or any client-side code). API keys are server-side credentials and must never be exposed to clients.
Use test keys for sandbox/testing environments only. Never use test keys in production, and never use production keys in test environments.
Environment Confusion
Common mistakes:
- Using a test key in production (or vice versa)
- Rotating keys without realizing it breaks production
- Not knowing which environment a key belongs to
Best practices:
- Use descriptive names: "Production Backend", "Test Environment", "Staging API"
- Store keys in environment-specific configuration
- Verify the environment before using a key
- Use separate keys for each environment
Key Rotation Impact
What happens when you rotate a key?
- Old key stops working - Once you delete the old key, all services using it will immediately fail with authentication errors
- Existing integrations break - Any backend service still using the old key will stop working
- No automatic migration - You must manually update all services to use the new key
How to rotate safely:
- Create a new API key
- Update your backend services to use the new key (keep old key active during transition)
- Test thoroughly with the new key
- Once verified, delete the old key
Rotation schedule: Rotate keys every 90 days, or immediately if you suspect a key has been compromised.
API Key Lifecycle
Create → Use → Rotate → Revoke
- Create: Generate a new key in Studio with a descriptive name
- Use: Store securely and use in backend services only
- Rotate: Create new key, update services, then delete old key
- Revoke: Delete the key when no longer needed (immediately invalidates it)
Security Questions Answered
"Can we expose this key client-side?"
- No - API keys are secret credentials for server-to-server authentication only
"Do we need separate keys per game/environment?"
- Yes - Use separate keys for different environments (test, staging, production)
- Recommended - Use separate keys for different games/shops if you manage multiple
- All keys for the same shop have the same permissions
"Can I use this key in my mobile app?"
- No - Never use API keys in mobile apps, web browsers, or any client-side code
- Use bearer tokens instead - For client-side authentication, use bearer tokens (see product-specific authentication guides)
Related Documentation
How is this guide?