Environments
Each Notifizz organisation has multiple environments — typicallydev and prod, plus optional staging or per-team variants. Each environment owns its own copy of every secret and its own event traffic. Sharing keys across environments is the most common cause of “weird” failures.
TL;DR
- Every environment has its own SDK Secret, Auth Secret, Front API Key, Webhook Signing Secret.
Devcampaigns run on dev only;Liveruns on every environment.- Rotate by generating the new key alongside the old, deploy, retire the old.
- Don’t share keys across environments — even for internal tooling.
What’s per-environment
Every secret and every campaign-runtime decision is per-environment:| Surface | Per-environment? |
|---|---|
| SDK Secret | yes |
| Auth Secret | yes |
| Front API Key | yes |
| Webhook Signing Secret | yes |
| Campaign status (Live / Dev / …) | resolved per env at instance creation |
Connector source verificationSecret | per source, scoped to its environment |
| Enricher URL | yes (you can declare different URLs per env) |
| Region | per environment (the env determines the API hostname) |
Dev campaign exists in both dev and prod’s view of the campaign list, but only runs on dev (see campaigns for the runnable filter).
Typical environment layout
| Environment | Purpose | Campaign statuses that run |
|---|---|---|
dev | Local development, iteration | Editing, Dev, Live, Offline (per the runnable filter) |
staging (optional) | Pre-prod validation | Same as dev, but with prod-like data volumes |
prod | Customer traffic | Live, plus Editing and Offline at instance creation (downstream behaviour varies — consult source) |
Dev gate is the explicit guardrail: orchestrators staged for review can’t accidentally fire on prod traffic.
When to rotate keys
| Trigger | What to rotate |
|---|---|
| Engineer leaves the company | All secrets they had access to. |
| Suspicion of leak | The compromised secret immediately, with the dashboard’s emergency rotation flow. |
| Routine policy (every 6–12 months) | All secrets, environment by environment. |
| Front API Key visible in a leaked git repo | The Front API Key is public-by-design (embedded in your frontend) — rotate only if you’re using none mode in production (which you shouldn’t). |
Rotation flow
The dashboard exposes a rotation flow per secret with an overlap window:Generate the new key
Dashboard → Environment → API Keys → “Rotate”. A new key is generated; the old key remains valid for the overlap window (configurable, typically 24h).
Wait the overlap window
Both keys work during this period. Existing in-flight requests using the old key complete; new requests pick up the new key.
Test in Dev before Live
The standard flow for any campaign change:- Edit on dev. Promote
Editing → Dev. - Fire test events from your dev backend. Verify delivery in dev’s delivery history.
- Fix dev tasks (missing properties, broken orchestrator code, …) until clean.
- Promote
Dev → Live. The campaign now also fires on prod traffic.
CI integration
In CI environments, use a dedicated key per pipeline:- A read-only key for “verify a notification path works” tests against dev.
- A separate prod-tracking key only for the build that actually emits to prod (typically a release job).
FAQ
Run a campaign only on dev?
Run a campaign only on dev?
Set its status to
Dev and never promote it. The runnable filter explicitly excludes Dev from production environments — your dev iteration stays out of prod traffic.Keys for CI?
Keys for CI?
One per pipeline. CI keys are usually scoped to the dev environment for test/integration work; only the release job uses a prod key, and that key only ever touches prod.
I rotated a key and the SDK throws 401 — how long until propagation?
I rotated a key and the SDK throws 401 — how long until propagation?
Within seconds — the backend reads keys per request, no caching beyond a short TTL on the resolution. If your SDK throws 401 minutes after rotation, your service is still using the old key (env var not reloaded, secret manager not refetched).
Delete an environment safely?
Delete an environment safely?
Archive all its campaigns first. Then revoke its keys (rotate to nothing, decline the new generation). Then delete from the dashboard. In-flight workflow instances complete or fail naturally; no live traffic continues post-delete.
See also
Keys and environments reference
The five secrets and where each goes.
Campaigns
Statuses, runnable filter, versioning.
Delivery history & stats
Where to verify a delivery worked.
Troubleshooting
Cross-cutting failure modes.