CloudSignal Docs
GuidesAPI Keys

Managing keys

Create, rotate, and revoke API keys in the CloudSignal dashboard.

This guide covers creating, rotating, and revoking API keys in CloudSignal.

Create an API key

  1. Log into the CloudSignal dashboard.
  2. Go to Settings in the sidebar.
  3. Click on the API Keys tab.

Click Create Key

Click the Create API Key button.

Select key type

Choose the key type based on your use case:

TypeWhen to use
Publishable (pk_)Client-side code, browser apps
Secret (sk_)Server-side code, automation

Name your key

Give your key a descriptive name that identifies its purpose:

PatternExample
Recommendedproduction-web-app, staging-backend, mobile-app-ios, ci-cd-pipeline
Anti-patternkey1, test, my-key

Copy and store securely

  1. Click Create.
  2. Copy the full key immediately.
  3. Store it securely - the full key won't be shown again.

The complete API key is only shown once. If you lose it, you'll need to create a new key.

Viewing existing keys

In the API Keys section, you see:

ColumnDescription
NameThe name you assigned
TypePublishable or Secret
PrefixFirst few characters (for example pk_live_abc...)
CreatedWhen the key was created
Last usedMost recent API call using this key

For security, only the key prefix is displayed. The full key cannot be retrieved after creation.

Rotating keys

Key rotation is a security best practice. Rotate keys:

  • Every 90 days (recommended).
  • After team member departures.
  • If you suspect a key was compromised.
  • When changing environments.

Rotation process

Create the new key

Create a new API key with the same type as the one you're replacing.

Update your applications

Deploy the new key to all applications that use the old key:

// Update environment variable
// Before: CLOUDSIGNAL_SK=sk_live_old123...
// After:  CLOUDSIGNAL_SK=sk_live_new456...

Verify the new key works

Test that your applications work with the new key before revoking the old one.

Revoke the old key

Once confirmed, revoke the old key (see below).

Keep both keys active during the transition period to avoid downtime. Revoke the old key only after confirming the new one works.

Revoking keys

Revoke keys when:

  • They're no longer needed.
  • After completing key rotation.
  • If compromised or leaked.
  • When decommissioning a service.

To revoke a key

  1. Go to SettingsAPI Keys.
  2. Find the key to revoke.
  3. Click the Revoke button (trash icon).
  4. Confirm the revocation.

Revocation is immediate and permanent. Any application using the revoked key will immediately lose access. This cannot be undone.

Best practices

Naming convention

Use a consistent naming pattern:

{environment}-{service}-{purpose}

Examples:
  prod-web-app-frontend
  staging-api-backend
  dev-local-testing
  prod-mobile-ios

Environment separation

Create separate keys for each environment:

EnvironmentKey nameNotes
Developmentdev-local-backendFor local testing
Stagingstaging-api-serverFor QA and testing
Productionprod-api-serverFor live traffic

Access control

PracticeWhy
Limit who can create keysOnly admins should create secret keys
Document key usageTrack which services use which keys
Audit regularlyReview unused or old keys quarterly

Storage guidelines

Storage methodRecommended for
Environment variablesMost applications
AWS Secrets ManagerAWS deployments
HashiCorp VaultEnterprise or multi-cloud
Vercel or Netlify secretsServerless deployments
GitHub SecretsCI/CD pipelines

Never store API keys in:

  • Source code.
  • Git repositories.
  • Client-side code (secret keys).
  • Logs or error messages.

Troubleshooting

"Invalid API Key" error

CheckResolution
Key typeUsing pk_ where sk_ is required?
Full keyKeys are long; ensure it wasn't truncated
Revoked?The key may have been revoked
Environment mismatchUsing a test key in production, or vice versa

"Unauthorized" error

CheckResolution
PermissionsPublishable keys have limited permissions
OperationSome operations require secret keys
ACL rulesThe key may not have access to the requested resource

Key not showing in dashboard

  • Keys are only fully visible immediately after creation.
  • Only the prefix is stored for display.
  • If you need the full key, create a new one.

Next steps

Key types

Understanding publishable and secret API keys in CloudSignal.

Team management

Collaborate with your team by managing members and permissions.

On this page

Create an API keyNavigate to API KeysClick Create KeySelect key typeName your keyCopy and store securelyViewing existing keysRotating keysRotation processCreate the new keyUpdate your applicationsVerify the new key worksRevoke the old keyRevoking keysTo revoke a keyBest practicesNaming conventionEnvironment separationAccess controlStorage guidelinesTroubleshooting"Invalid API Key" error"Unauthorized" errorKey not showing in dashboardNext steps