API keys
StatsKit uses four key types. Each has a distinct prefix, scope, and place it’s meant to run. Picking the right one is mostly about one question: does this code run in a browser or on a server?
The four key types
Section titled “The four key types”| Prefix | Name | Where it runs | What it can do | Safe in browser? |
|---|---|---|---|---|
vpk_live_… | Public ingest key | Browser | Write-only event ingest; used by the tracker and /v1/checkout. | Yes |
csk_live_… | Client SDK key | Browser | Client flag evaluation only (/v1/client-config, /v1/exposures). | Yes |
ssk_live_… | Server SDK key | Server | Server flag config, evaluate, and event ingest (/v1/config, /v1/evaluate, /v1/events). | No |
vsk_live_… | Secret / management key | Server | Full REST API and MCP (all /v1/*). | No |
Where to get them
Section titled “Where to get them”Sign in at app.versuch.ai and open the Install & keys panel. Every key type for your project is listed there.
Security
Section titled “Security”vsk_live_…andssk_live_…are server-only. Never ship them to the browser, embed them in client bundles, or commit them to a public repo. They can read and write your configuration.vpk_live_…andcsk_live_…are browser-safe. The public ingest key is write-only, and the client SDK key only evaluates flags, so exposing them in page source is expected.- Keys are shown once. Copy a key when it’s created. If you lose it or suspect it leaked, rotate it in the dashboard, which invalidates the old value.