Skip to main content
Every Plunk project has two API keys: a secret key and a public key. Each key controls a different level of access to the API.

Key types

Secret key (sk_*)

The secret key grants full access to all API endpoints. Use it server-side only — in your backend, serverless functions, or CI pipelines. Never expose it in client-side code, browser bundles, or mobile apps.
If your secret key is compromised, an attacker can read and modify your project data, send emails on your behalf, and access all contacts. Treat it like a password.

Public key (pk_*)

The public key is restricted to a single endpoint: /v1/track. It is safe to expose in client-side applications because it can only track events — it cannot read or modify any project data.

Which key to use

EndpointKey required
/v1/track (event tracking)Public key (pk_*) or secret key
All other endpointsSecret key (sk_*)

Passing a key in requests

All API requests authenticate using the Authorization header with a Bearer token. 
Authorization: Bearer sk_your_secret_key
Example request: 
curl -X POST https://api.useplunk.com/v1/send \
  -H "Authorization: Bearer sk_your_secret_key" \
  -H "Content-Type: application/json" \
  -d '{
    "to": "[email protected]",
    "subject": "Hello",
    "body": "<p>Welcome!</p>"
  }'
For client-side event tracking using your public key: 
fetch("https://api.useplunk.com/v1/track", {
  method: "POST",
  headers: {
    "Authorization": "Bearer pk_your_public_key",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    event: "user.signup",
    email: "[email protected]",
  }),
});

Managing API keys in the dashboard

You can find your API keys in Project Settings → API Keys.
1

Open project settings

In the dashboard sidebar, click Settings for your project.
2

Navigate to API Keys

Select the API Keys tab. Your public key and secret key are both displayed here.
3

Copy the key

Click the copy icon next to the key you need. Store it securely — use environment variables in your application, not hardcoded strings.

Regenerating keys

If you believe a key has been compromised, regenerate it immediately from Project Settings → API Keys.
Regenerating a key invalidates both the secret and public keys at the same time. Update all applications using the old keys before or immediately after regenerating to avoid downtime.

Security best practices

  • Store secret keys in environment variables, not in source code or version control.
  • Use the public key in any code that runs in the browser or on a user’s device.
  • Rotate keys periodically as part of your security hygiene.
  • Audit access logs if you suspect unauthorized use.
  • Never log API keys in application output or error messages.

Build docs developers (and LLMs) love

Get started for freeTalk to us