Get your API keys

Every Vuukle site has two API keys with very different security properties:

Public API key

Used by the in-browser install snippet (VUUKLE_CONFIG.apiKey). Safe to expose in client-side code, page source, view-source, DevTools. Format: UUID like c7368a34-dac3-4f39-9b7c-b8ac2a2da575.

Secret API key

Used to sign SSO tokens (SHA-512 signature) and to call privileged endpoints from your backend. Treat it like a password. Store in env vars, secret managers, never in your repo or client code.

Where to find them

1. Sign in to dash.vuukle.com.

2. If you have multiple sites, pick the right one from the site switcher at the top-left.

3. Open Integration — either from the top navigation, or Integration in the left sidebar.

4. Your public key is shown immediately at the top of the page. Click the copy icon next to it.

5. To reveal the secret key, click Show Secret Key. It stays masked until you click. Copy it into your backend secrets manager — don’t paste it into a document, Slack message, or commit.

Where to use them

Public key — in the install snippet

In your article template

<script>
  var VUUKLE_CONFIG = {
    apiKey: 'YOUR_PUBLIC_API_KEY',  // ← public key here
    articleId: 'post-12345',
  };
  (function () {
    var d = document, s = d.createElement('script');
    s.src = 'https://cdn.vuukle.com/platform.js';
    (d.head || d.body).appendChild(s);
  })();
</script>

Secret key — server-side only

On your backend, never in browser code

import crypto from 'node:crypto';

const SECRET = process.env.VUUKLE_SECRET_KEY;  // ← never hardcode

function generateSsoToken(user) {
  const sig = crypto
    .createHash('sha512')
    .update(`${user.email}-${SECRET}`)
    .digest('hex')
    .toUpperCase();

  const payload = {
    username: user.name,
    email: user.email,
    public_key: 'YOUR_PUBLIC_API_KEY',
    signature: sig,
  };

  return Buffer.from(JSON.stringify(payload), 'utf8').toString('base64');
}

Full SSO walkthrough: Generate an SSO token.

If your secret key leaks

Contact support@vuukle.com immediately. We’ll rotate the key. Rotating invalidates every existing SSO token — your backend must be redeployed with the new value before users can sign in again.

Key handling checklist

• Public key is fine in your install snippet, view-source, blog posts, Slack screenshots.
• Secret key lives in .env, AWS Secrets Manager, GCP Secret Manager, Vercel env vars, etc.
• .env is in .gitignore — git log -p should not show the secret anywhere.
• CI/CD pipelines read the secret from masked env vars, not from committed files.
• Rotate keys if you suspect a leak — don’t wait.

Where keys are used across the platform

Use case	Which key	Where
Install snippet	Public	Browser, in VUUKLE_CONFIG.apiKey
Widget iframe URLs (AMP, mobile WebView)	Public	URL parameter apiKey={key}
SSO token signature	Secret	Server-side hash function
Generate token to ship to browser	Both (signature uses secret, payload includes public)	Server-side

Related

• SSO overview — full token-generation flow
• Generate an SSO token — Node, Python, PHP examples
• Quickstart — uses the public key