Understanding how Appizer authenticates and authorizes API requests.
Authentication Overview
Appizer uses Bearer token authentication with API keys.
Authentication Process
How API keys are validated
Related Documentation:
API Key Types
Secret Keys (Server-Side)
Format: sk_live_ or sk_test_
Permissions: Full access to all API operations
Usage: Server-side applications only
// Server-side
const appizer = new Appizer({
apiKey: process.env.APPIZER_API_KEY // sk_live_...
})
Never Expose
Secret keys must never be exposed in client-side code or version control.
Public Keys (Client-Side)
Format: pk_live_ or pk_test_
Permissions: Limited to client-safe operations (track, identify)
Usage: Browser and mobile applications
// Client-side
const appizer = new AppizerClient({
publicKey: process.env.NEXT_PUBLIC_APPIZER_PUBLIC_KEY // pk_live_...
})
Key Validation Flow
Permission Model
Role-Based Access Control
API keys have associated roles with specific permissions:
Permission Hierarchy
Role-based access control
Permission matrix:
| Operation | Read | Write | Admin |
|---|---|---|---|
| Track events | ❌ | ✅ | ✅ |
| Query analytics | ✅ | ✅ | ✅ |
| Identify users | ❌ | ✅ | ✅ |
| Send notifications | ❌ | ✅ | ✅ |
| Manage API keys | ❌ | ❌ | ✅ |
| Delete data | ❌ | ❌ | ✅ |
Request Authentication
Header Format
POST /v1/events/track HTTP/1.1
Host: api.appizer.com
Authorization: Bearer sk_live_abc123...
Content-Type: application/json
Authentication Examples
cURL:
curl -X POST https://api.appizer.com/v1/events/track \
-H "Authorization: Bearer sk_live_abc123..." \
-H "Content-Type: application/json" \
-d '{"event":"page_view","userId":"user_123"}'
JavaScript:
const response = await fetch('https://api.appizer.com/v1/events/track', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.APPIZER_API_KEY}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
event: 'page_view',
userId: 'user_123'
})
})
Python:
import requests
response = requests.post(
'https://api.appizer.com/v1/events/track',
headers={
'Authorization': f'Bearer {os.environ["APPIZER_API_KEY"]}',
'Content-Type': 'application/json'
},
json={
'event': 'page_view',
'userId': 'user_123'
}
)
Security Best Practices
Key Management
Use Environment Variables
Store keys in environment variables, never hardcode
Separate Keys Per Environment
Use different keys for dev, staging, and production
Rotate Regularly
Generate new keys periodically and revoke old ones
Monitor Usage
Track API key usage and set up alerts for anomalies
Key Rotation
Key Rotation Process
Zero-downtime key rotation
Monitoring
Track authentication metrics:
// Metrics to monitor
{
totalRequests: 10000,
authenticatedRequests: 9950,
failedAuth: 50,
rateLimited: 25,
byKey: {
'sk_live_abc123': {
requests: 5000,
errors: 10,
lastUsed: '2024-01-15T10:30:00Z'
}
}
}
Error Responses
401 Unauthorized
Missing or invalid API key:
{
"error": "Unauthorized",
"code": "invalid_api_key",
"message": "The API key provided is invalid or has been revoked"
}
403 Forbidden
Valid key but insufficient permissions:
{
"error": "Forbidden",
"code": "insufficient_permissions",
"message": "This API key does not have permission to perform this operation"
}
429 Too Many Requests
Rate limit exceeded:
{
"error": "Too Many Requests",
"code": "rate_limit_exceeded",
"message": "Rate limit exceeded. Retry after 60 seconds",
"retryAfter": 60
}