Skip to content

API keys

StatsKit uses four key types. Each has a distinct prefix, scope, and place it’s meant to run. Picking the right one is mostly about one question: does this code run in a browser or on a server?

PrefixNameWhere it runsWhat it can doSafe in browser?
vpk_live_…Public ingest keyBrowserWrite-only event ingest; used by the tracker and /v1/checkout.Yes
csk_live_…Client SDK keyBrowserClient flag evaluation only (/v1/client-config, /v1/exposures).Yes
ssk_live_…Server SDK keyServerServer flag config, evaluate, and event ingest (/v1/config, /v1/evaluate, /v1/events).No
vsk_live_…Secret / management keyServerFull REST API and MCP (all /v1/*).No

Sign in at app.versuch.ai and open the Install & keys panel. Every key type for your project is listed there.

  • vsk_live_… and ssk_live_… are server-only. Never ship them to the browser, embed them in client bundles, or commit them to a public repo. They can read and write your configuration.
  • vpk_live_… and csk_live_… are browser-safe. The public ingest key is write-only, and the client SDK key only evaluates flags, so exposing them in page source is expected.
  • Keys are shown once. Copy a key when it’s created. If you lose it or suspect it leaked, rotate it in the dashboard, which invalidates the old value.