API keys
Every project has its own API keys. A key authenticates both the
SDK and GemSync, passed as a Bearer token
(the SDK does this for you via GEM_KEY).
Creating and revoking
Section titled “Creating and revoking”Manage keys from the project’s settings in the dashboard. Revoking a key takes effect immediately: requests with it fail with an expired-token error from the next call on.
Handling keys
Section titled “Handling keys”- Treat a key like any other secret: environment variables, never in client code you don’t control, never in a public repo.
- Use one key per environment (production, staging, local), so revoking one doesn’t take down the others.
- Keys are scoped to a single project. An agency with ten client sites has at least ten keys; revoking a client’s key affects only that client.