This page explains when to use a development or production API key, and what the limitations are.
An API key is a string which the ATTACH platform generates for exclusive use on your website. It identifies you as the owner of the domain or page. API keys only work on domains and pages which have been assigned with your project's API key. View the Domains concept for how to connect, verify and assign a domain or page with a project.
You have two separate settings for
Production. This allows you to use one key during development and debugging, and another key for serving to your end users.
Note there are also separate keys for Android and iOS platforms. Never use these on web pages and rotate them if leaked. Never use API keys other than intended.
prod_web_ prefixed API keys are meant for embedding into your HTML code. As your code can easily be forked or the keys can be stolen, we only use your key in conjunction with domains and pages you have previously registered for a given key.
api-key meta property to your code with your API key in
content, as shown in this example pen.
<meta property="attach:api-key" content="dev_web_01234567890123456789" />
When you create a new project, we generate API keys for all available platforms. Rotate a key whenever it has leaked or has been compromised.
- When you rotate a key, the old key will stop working after 22 hours. To ensure uninterrupted service, you must update the key on all your web pages before the key expires.
- If a key has been compromised and you want to stop serving immediately, rotate the key twice.
Development API key is prefixed with
dev_web_ and should never be used on public websites, except when sharing code on CodePen (see below). It has the following features and limitations:
- Works on localhost.
- Works on CodePen.
- Tolerant when changing a signed-in user while rooms are open.
- Does not require a domain or page to be verified.
- Imposes a rate limit.
- Rooms time out after 10 minutes.
- Displays a "Development" banner on the website.
Production API key is prefixed with
prod_web_ and is the only key to be used when serving to end users outside developer websites and tools. It has the following features and limitations:
- Doesn't work on localhost.
- Doesn't work on CodePen.
- Must close all rooms before changing the signed-in user.
- Requires a domain or page to be connected, verified and assigned.
- Safety-rate limit only.
- Rooms do not time out (except for safety timeout after 2 hours).
- Does not display any banners on the website.