Public API key best practices

  • 22 July 2021
  • 1 reply

Badge +5

What is best practice for using Revenuecat Public API keys in Xcode?  

Are they 'public enough' to just use in source files?


Best answer by cody 22 July 2021, 16:10

View original

1 reply

Userlevel 5
Badge +8

Hey @TBZ!

Yes, it’s safe to store the public API key in your code. These keys are used to make non-potent changes to subscribers, and it can’t be used to access any sensitive data about your users. We consider a public key to be obtainable by anyone who can decompile your app, so it's not dangerous to have it exposed.

You can see this in action in our sample app here.

A secret key, on the other hand, should always be kept secret and should never be exposed (and should never be included in your app’s source files). These types of keys are prefixed with sk_ and can perform any API request without restriction including deleting subscribers, reading attributes, and granting promotional access. If you ever think that you might have exposed a secret key, you should revoke access from our dashboard and generate a new key.

You can read more about revoking secret keys and API keys in general here.