Publishable SDK Keys
Create and manage publishable SDK keys for secure SDK access to your project
Publishable SDK keys authenticate your encatch SDKs with our servers so you can collect in-app and web feedback securely. Keys are meant for client-side SDK integration; pair them with a server-side secret only when you use signature validation.
Where to find it
- Open your project in the encatch dashboard.
- Go to Settings.
- Under Security, open Publishable SDK Keys.
If you do not see Publishable SDK Keys, contact your organization administrator—you may need additional access.
Page description: Manage your project's publishable SDK keys. Create, view, and delete publishable SDK keys for secure access to your services.
Keys list
The table shows keys for the selected tab:
| Tab | Description |
|---|---|
| Active keys | Keys currently in use. |
| Deleted keys | Keys you have deleted (see retention note below). |
| Column | Description |
|---|---|
| App name | Application name / identifier linked to the key. |
| Key identifier | The name you gave the key when creating it. |
| Expires In | When the key expires, or Never if no expiry. |
| Key Suffix | Short suffix to cross-reference with the full key (..._suffix). |
| Info and Actions | Open details, view status, or delete an active key. |
Use Create Publishable SDK Key at the top to add a new key (subject to your plan’s publishable SDK key limit).
If you reach your plan limit, you will see Publishable SDK Keys limit reached and need to upgrade before creating more.
Deleted keys
On the Deleted keys tab, deleted or expired keys are listed. They are permanently removed after 15 days and cannot be restored.
Create a publishable SDK key
- Click Create Publishable SDK Key.
- Fill in the dialog sections below, then click Create.
Dialog description: Publishable SDK keys authenticate your SDKs with our servers, enabling secure communication for in-app feedback collection.
Basic information
| Field | Description |
|---|---|
| Key name (required) | Descriptive name (max 25 characters), e.g. Production SDK. |
| Description (optional) | Notes about the key (max 100 characters). |
| Application name / identifier (required) | Short id for the app (max 25 characters), e.g. myapp or shop01. Links feedback forms and settings such as Pause Feedbacks to this app. |
A warning may appear if you use a reserved application name—use those identifiers only when intended (for example shareable or in-app reserved names).
Access configuration
| Field | Description |
|---|---|
| Expiry period (required) | 1 day, 1 week, 1 month, 3 months, 6 months, 1 year, or a custom date. |
| API key prefix | Read-only prefix shown on the generated key (depends on environment). |
| Allowed domains / packages (required) | Origins or app bundle ids allowed to use this key. Add up to 10 entries. |
Examples for allowed domains / packages:
*— all origins (not recommended for production)https://app.example.comhttps://*.example.com- Android:
com.mycompany.myapp
Using * in Allowed domains / packages allows all domains to access this publishable SDK key.
Security configuration (optional)
| Field | Description |
|---|---|
| Secret key | Generate a secret for hashing user IDs and signature validation. Never expose this on the client—store it only on your server. |
| Session time (minutes) | Session timeout for validation. Set to 0 to disable (default). |
After creation
You see Your Publishable SDK Key once. Copy it immediately—you will not be able to view the full key again. Use the show/hide and copy controls, then click Close.
If you lose a key, create a new one with the same application name and update your app, then delete the old key.
Key details and delete
Open Info and Actions (⋮) on a row to see:
- Status — Active, Expired, Deleted, or Inactive
- Allowed domains / packages
- Created by / Updated by with timestamps
Active, non-expired keys can be deleted via Delete Publishable SDK Key (confirmation required).
Best practices
- Restrict Allowed domains / packages to your real sites and app bundle ids; avoid
*in production. - Rotate keys before Expiry period ends; keep the same application name when replacing a key.
- Publishable keys are safe to embed in client apps, but treat optional secret keys as server-only credentials.
- Test keys follow your plan’s test/production rules and may not count the same toward usage limits.
For rate limits on SDK and API traffic, see Rate Limits.
Was this page helpful?