Skip to main content
Question

Unsure which API key to use for granting an entitlement in the API v1

  • September 15, 2025
  • 3 replies
  • 79 views
S
Forum|alt.badge.img+3

Hi, I’m trying to access this API endpoint https://www.revenuecat.com/docs/api-v1#tag/entitlements/operation/grant-a-promotional-entitlement 

When I use my public SDK API key, it says “invalid API key”. But when I use a secret API key for API version 1, I get “

"RevenueCat error: {\"code\":7243,\"message\":\"Secret API keys should not be used in your app.\"}\n\n"”

Edit: For context, I am not calling the API directly from my app. I am invoking a Supabase edge function, so not sure why I am getting that message

 

This post has been closed for comments

3 replies

kaitlin
RevenueCat Staff
Forum|alt.badge.img+6
  • kaitlin
  • RevenueCat Staff
  • September 17, 2025

Hey ​@spthomas5,

You’re correct that you would want to use the secret API key, so that is a strange error that you’re getting. Are you able to share the request that the function is making? You can also open a ticket with our support team if you’d prefer to share information that way: https://app.revenuecat.com/settings/support?tab=contact

S
Forum|alt.badge.img+3
  • spthomas5
  • Author
  • New Member
  • September 22, 2025

Hey ​@spthomas5,

You’re correct that you would want to use the secret API key, so that is a strange error that you’re getting. Are you able to share the request that the function is making? You can also open a ticket with our support team if you’d prefer to share information that way: https://app.revenuecat.com/settings/support?tab=contact

Essentially, I’m doing something like 

// Edge function
const revenueCatUrl = `https://api.revenuecat.com/v1/subscribers/${revenuecat_customer_id}/entitlements/{Entitlement}/promotional`;

const grantBody = {
  duration: 'lifetime' //
};

const revenueCatResponse = await fetch(revenueCatUrl, {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${revenueCatApiKey}`,
    'Content-Type': 'application/json',
    'X-Platform': 'ios'
  },
  body: JSON.stringify(grantBody)
});

// Error received:
// {"code":7243,"message":"Secret API keys should not be used in your app."}

chris_perriam
RevenueCat Staff
Forum|alt.badge.img+6
  • chris_perriam
  • RevenueCat Staff
  • September 23, 2025

In this case, it seems the error is being triggered due to the platform header signalling that this is an iOS request. This a security measure to protect against developers architecting their applications with secret keys in their app bundles.
 
To resolve the issue, simply remove this line:

'X-Platform': 'ios'


Let me know if that works!

Terms & ConditionsCookie settingsAccessibility statement