Skip to main content

API keys reference

Notifizz uses five distinct secrets across its surface — each scoped to a single role, each scoped per environment (dev, prod, …). This page lists them all so you know which one to copy into which place.

TL;DR

  • sdkSecretKey — backend → POST /v1/events/track (Bearer + body field).
  • authSecretKey — backend → client.generateHashedToken(userId) for widget backend-token auth.
  • Front API Key — frontend → widget apiKey option, used by /v1/users/auth.
  • webhookSigningSecret — backend → enricher constructor, verifies HMAC on incoming enricher webhooks.
  • verificationSecret — per-source → connectors (Segment, Stripe, HubSpot, Intercom).
  • All five are environment-scoped: dev keys never reach prod, and vice versa.

The five secrets

1. SDK Secret Key (sdkSecretKey)

WhereWhat
Used byBackend SDKs (Node, Java, PHP) and any HTTP-direct caller of POST /v1/events/track.
Sent asAuthorization: Bearer <sdkSecretKey> header AND sdkSecretKey field in the body. Both must match.
Resolves toThe environment whose sdkSecretKey matches. Wrong key → 403 auth/invalid-authorization.
Where in dashboardEnvironment settings → API Keys → “SDK Secret”.
const client = new NotifizzClient(authSecretKey, sdkSecretKey);
// ↑ second arg is the SDK secret used to identify the environment.

2. Auth Secret Key (authSecretKey)

WhereWhat
Used byBackend SDK client.generateHashedToken(userId). Never sent over the wire — used to compute a SHA-256 HMAC server-side.
Lives inYour backend env (env var, vault). Never exposed to the frontend.
Where in dashboardEnvironment settings → API Keys → “Auth Secret”.
const client = new NotifizzClient(authSecretKey, sdkSecretKey);
const token = client.generateHashedToken("u_42");
// ↑ token derived from authSecretKey + userId, sent to your frontend.

3. Front API Key

WhereWhat
Used byThe Notification Center widget — passed as apiKey in the widget options.
Sent asapiKey field in POST /v1/users/auth (the widget’s auth endpoint).
Resolves toThe environment whose Front API Key matches.
Public by designEmbedded in your frontend bundle; visible to any user.
Where in dashboardEnvironment settings → API Keys → “Front API Key”.
<NotifizzInbox
  options={{
    apiKey: "YOUR_FRONT_API_KEY",
    authType: "backendToken",
    /* ... */
  }}
/>

4. Webhook Signing Secret (webhookSigningSecret)

WhereWhat
Used byNode SDK enricher subsystem only — new NotifizzClient(authKey, sdkKey, webhookSigningSecret).
Used forVerifying the HMAC on inbound enricher webhooks (HmacVerifier).
RequiredOnly when calling client.dispatch(). Skip it for clients that just call track().
Where in dashboardEnvironment settings → Enrichers → “Webhook Signing Secret”.
The Notifizz backend signs every enricher webhook request with this secret over the verbatim payload string in the body envelope. The SDK verifies the signature on receipt. Mismatch → { ok: false, error: { code: "hmac-invalid" } } in the response body.

5. Connector Verification Secret (verificationSecret)

WhereWhat
Used byConnector webhooks (Segment / Stripe / HubSpot / Intercom).
Per sourceEach connector source has its own secret.
Used forNotifizz verifies the per-provider HMAC on incoming webhook deliveries.
Where in dashboardConnectors → source detail → “Webhook Signing Secret”.
The exact algorithm differs per provider — see connector webhooks.

Quick reference table

SecretUsed bySent over wire?Public?Per-environment?
sdkSecretKeyBackend SDKsyes (Bearer + body)noyes
authSecretKeyBackend SDK (locally)nonoyes
Front API KeyWidgetyes (auth body)yesyes
webhookSigningSecretNode enricher SDKnonoyes
verificationSecretConnectorsnonoper source (and per env)

Environments

Each Notifizz organisation has multiple environments — typically dev and prod, plus optional staging or per-team environments. Each has its own copy of every secret. Never share keys across environments:
  • A dev sdkSecretKey posted to prod’s API resolves to dev’s environment, not prod’s — your prod traffic ends up in dev’s queue.
  • A prod Front API Key in your dev frontend means dev users see prod notifications.
Most failures classified as “weird” turn out to be cross-environment key contamination. Treat keys as environment-scoped from day one.

Rotation

The dashboard exposes a rotation flow per secret. The general pattern:
  1. Generate a new key alongside the existing one (overlap window).
  2. Deploy your services to use the new key.
  3. Wait the overlap window — Notifizz accepts both keys during it.
  4. Retire the old key.
Existing widget sessions keep their HMAC token across rotation only if you re-mint after the rotation; backend-side keys (SDK secret, auth secret) are read on every call, so rotation propagates as soon as your service redeploys.

Region note

The default API host is https://eu.api.notifizz.com/v1. Future US/APAC regions will have their own hostnames; keys generated in one region don’t work against another. The dashboard surfaces the right hostname for your environment.

FAQ

auth/invalid-authorization on /events/track always means the sdkSecretKey (Bearer + body) didn’t resolve to an environment. Three suspects: (1) wrong environment (most common), (2) typo / extra whitespace, (3) the key was rotated and your service hasn’t reloaded.
No — they belong to different environments. Each environment has its own pair. Sharing causes hard-to-debug cross-traffic; avoid even on internal tools.
All of them: Environment settings → API Keys (one section per role). Connector verification secrets live separately under Connectors → source detail.
No — never embed sdkSecretKey in a mobile or web frontend. Mobile clients should hit your own backend, which then calls Notifizz with its server-side secret. The widget’s Front API Key is the only Notifizz secret intended to ship in a frontend.
Use the dashboard rotation flow. Generate the new key, deploy your services with it, wait the overlap window (Notifizz accepts both during this period), retire the old key. Existing in-flight requests keep working — rotation only affects new requests after the cutover.
Rotate immediately. The dashboard exposes a one-click “rotate now, no grace period” path for emergencies; this revokes the old key right away and any in-flight request using it fails. Pair it with your incident process — log audit, scan dashboard for unexpected events, etc.

See also

Event Tracking

Where sdkSecretKey is used.

Backend tokens

Where authSecretKey is used.

Enrichers protocol

Where webhookSigningSecret is used.

Connector webhooks

Where verificationSecret is used.