API Keys

Reference for Statsig API keys, including client keys, server secret keys, and console API keys, with guidance on rotation, scopes, and security.

API key types

There are three main types of API keys:

Client API Key: Intended for getting configuration and logging events on the client side.
Server Secret Key: Intended for getting configuration and logging events on the server side.
Console API Key: The most powerful key, intended for server-side use for full CRUD operations on your Statsig project.

Generate API keys in the Statsig Console by going to Project Settings > Environments & Keys.

Client API keys

Client API keys (Statsig Client SDK keys) are required to initialize all Statsig client SDKs. Use them in a client environment, such as a mobile app or a web app, where the key itself can't be secret.

Client API keys have access to the following:

/initialize endpoint, which returns all evaluated gates/configs/experiments/layers for a given user, with the names hashed.
/log_event endpoint, which logs events to Statsig.

Because Client API Keys can't access actual names, and because the gates/configs/experiments/layers are all pre-evaluated, a Client API Key can't access the project definition. This means that any conditions you create in the console (for example, for a gate to pass for certain users or email addresses) aren't accessible through a Client API Key.

Server secret keys

Server Secret keys (Statsig Server SDK keys) are required to initialize all Statsig server SDKs. Use them on webservers or in server scripts. They have access to the following:

/download_config_specs endpoint, which downloads the configuration for a project
/log_event endpoint, which logs events to Statsig.

Console API keys

Console API keys (Statsig CAPI keys) are the most powerful keys in your project. They can read all project configuration and also create, update, and delete entities in your project.

They have access to the entire suite of console api endpoints.You can also create Personal Console API Keys that are scoped to your role in Statsig. If your role has limited access, the same access conditions apply to the personal key. Personal keys are intended for multi-user projects where each user can have their own keys for clean access and audit logs. You can control the ability to generate personal keys in the organization info settings tab.

Additional configuration options

Use target apps with server secret keys and client keys to control which gates, configs, experiments, and layers are accessible through each key.You can also create per-environment API keys to control which rules Statsig sends to the SDK based on the environment.

Both client and server secret keys can also access individual entities through the HTTP API (/check_gate, /get_config, /get_layer).

Client keys with server permissions

Client keys can also access the download_config_specs endpoint through a scope you can add to the key. Use this option only with client local evaluation SDKs, such as the js-on-device-eval sdk, which Statsig recommends only for specific situations.

Creating a key with this scope requires additional consideration. Your entire project scope is exposed to clients that can access this key: the names and configurations of all experiments and feature flags accessible by your client key are visible. This risk may be acceptable (many other experimentation platforms operate this way by default), but you may choose to add additional controls to prevent certain information from being included, such as plaintext email addresses used in targeting or confidential config names. Recommended steps:

Consider whether on-device evaluation is appropriate for your use case. While on-device evaluation has some benefits, precomputed SDKs are the default solution. Ask questions in the Slack channel.
Educate Statsig users on your team about the types of information to include in configs based on your info security policy.
Use target apps to filter your configs to only the ones needed for the client side, both for privacy and performance.

Was this helpful?