Skip to content

API keys

Every project has its own API keys. A key authenticates both the SDK and GemSync, passed as a Bearer token (the SDK does this for you via GEM_KEY).

Manage keys from the project’s settings in the dashboard. Revoking a key takes effect immediately: requests with it fail with an expired-token error from the next call on.

  • Treat a key like any other secret: environment variables, never in client code you don’t control, never in a public repo.
  • Use one key per environment (production, staging, local), so revoking one doesn’t take down the others.
  • Keys are scoped to a single project. An agency with ten client sites has at least ten keys; revoking a client’s key affects only that client.