# API keys & authentication

Two kinds of key, two jobs. A publishable key identifies your app and is safe to ship anywhere; a secret key is a credential for your server. Knowing which goes where is most of integration security.

Source: https://cross-deck.com/university/api-keys/
Verified Crossdeck University lesson — prose plus real, runnable code.

## The most common setup mistake is a key in the wrong place

A surprising share of integration security comes down to one thing: using the correct key in the correct place. Crossdeck has exactly two — a publishable key and a secret key — and the difference between them is the difference between "safe in a browser" and "treat like a database password." Mix them up and you've either broken your app or leaked a credential.

## Publishable to identify, secret to authenticate

## The prefix tells you everything

The prefix is the contract: cd_pub_ is public-by-design, cd_sk_ is secret-by-design. A few rules follow from that:

The rule that prevents most incidents: never put a cd_sk_ key in client code. The SDK init() even enforces the inverse — it rejects anything that isn't a cd_pub_ key — so a secret key in your front end fails loudly instead of leaking quietly.

## Right key, right place

Publishable keys ride along in your apps doing their one safe job; secret keys stay on your servers guarding the privileged operations. If a key is ever exposed, you rotate it without downtime. That's the whole discipline — and the end of the Reference.

cd_pub_ in client · cd_sk_ on server
 App identifier in the browser, credential on the backend, test and live kept apart — and any key rotatable without an outage.