Skip to content
Tolinku Docs

API Keys

API keys let your code interact with the Tolinku API and SDKs. Each Appspace has its own set of keys.

Key types

Section titled “Key types”

Tolinku uses two types of API keys:

TypePrefixUse inAccess level
Publishabletolk_pub_Client-side code, mobile apps, web SDKsLimited. Can write events and read non-sensitive data.
Secrettolk_sec_Server-side code onlyFull access. Can read analytics, manage audiences, and call all API endpoints.

Creating a key

Section titled “Creating a key”

  1. Go to API Keys in the sidebar.

  2. Click Create API Key.

  3. Enter a name for the key (e.g. “Production Web SDK” or “Backend Server”).

  4. Choose the key type: Publishable or Secret.

  5. Click Create.

The full key is shown once. Copy it and store it securely. You will not be able to see the full key again. The dashboard only shows the first 32 characters as a prefix for identification.

Revoking a key

Section titled “Revoking a key”

If a key is compromised or no longer needed, revoke it:

  1. Go to API Keys.
  2. Click Revoke next to the key.

Revoked keys stop working immediately. Any API calls or SDK connections using that key will fail. Revocation is permanent; a revoked key cannot be re-enabled.

After revoking, you can delete the key entirely to clean up the list.

Key rotation

Section titled “Key rotation”

To rotate a key without downtime:

  1. Create a new key of the same type.

  2. Update your application to use the new key.

  3. Deploy the change.

  4. Revoke the old key.

Both keys work simultaneously until you revoke the old one, so there is no gap in service.

Where to use each key

Section titled “Where to use each key”

Publishable keys (tolk_pub_):

  • Web SDK (@tolinku/web-sdk) initialization
  • Mobile SDKs (iOS, Android, React Native, Flutter)
  • Smart banner script (banner.js)
  • Any code that runs in the user’s browser or on their device

Secret keys (tolk_sec_):

  • Your backend server calling the Tolinku REST API
  • Server-side analytics queries
  • Audience management
  • Webhook signature verification
  • Any code that runs on infrastructure you control

Permissions

Section titled “Permissions”

Creating, revoking, and deleting API keys requires the Admin role. Team members with the Editor or Viewer role can view existing keys (prefix only) but cannot create, revoke, or delete them.