Common Pitfalls
Learn about common mistakes when using API keys and how to avoid them. Understand environment confusion, key rotation impact, and security best practices.
Which Key Do I Use Where?
| Use Case | Key Type | Safe Client-Side? | Where to Use |
|---|---|---|---|
| Server API calls | Secret key | No | Backend/server only |
| Server-to-server requests | Secret key | No | Backend/server only |
| Backend service operations | Secret key | No | Backend/server only |
| SDK initialization | N/A | Yes | Client-side (uses bearer tokens, not API keys) |
Do NOT embed secret keys in client apps (mobile apps, web browsers, or any client-side code). API keys are server-side credentials and must never be exposed to clients.
Use test keys for sandbox/testing environments only. Never use test keys in production, and never use production keys in test environments.
Environment Confusion
Common mistakes:
- Using a test key in production (or vice versa)
- Rotating keys without realizing it breaks production
- Not knowing which environment a key belongs to
Best practices:
- Use descriptive names: "Production Backend", "Test Environment", "Staging API"
- Store keys in environment-specific configuration
- Verify the environment before using a key
- Use separate keys for each environment
Key Rotation Impact
What happens when you rotate a key?
- Old key stops working - Once you delete the old key, all services using it will immediately fail with authentication errors
- Existing integrations break - Any backend service still using the old key will stop working
- No automatic migration - You must manually update all services to use the new key
How to rotate safely:
- Create a new API key
- Update your backend services to use the new key (keep old key active during transition)
- Test thoroughly with the new key
- Once verified, delete the old key
Rotation schedule: Rotate keys every 90 days, or immediately if you suspect a key has been compromised.
API Key Lifecycle
Create → Use → Rotate → Revoke
- Create: Generate a new key in Studio with a descriptive name
- Use: Store securely and use in backend services only
- Rotate: Create new key, update services, then delete old key
- Revoke: Delete the key when no longer needed (immediately invalidates it)
Security Questions Answered
"Can we expose this key client-side?"
- No - API keys are secret credentials for server-to-server authentication only
"Do we need separate keys per game/environment?"
- Yes - Use separate keys for different environments (test, staging, production)
- Recommended - Use separate keys for different games/shops if you manage multiple
- All keys for the same shop have the same permissions
"Can I use this key in my mobile app?"
- No - Never use API keys in mobile apps, web browsers, or any client-side code
- Use bearer tokens instead - For client-side authentication, use bearer tokens (see product-specific authentication guides)
Related Documentation
How is this guide?
Security and Management
Learn security best practices for API keys, how to manage them, handle errors, and troubleshoot common issues.
Stash Webhooks
Learn about Stash webhooks - automated notifications sent to your backend when events occur across Stash products. Understand how to configure webhooks in Stash Studio and handle webhook events for player interactions, purchases, and more.