For the complete documentation index, see llms.txt. For the full corpus, see llms-full.txt. For raw markdown, append .md to this URL or send Accept: text/markdown.

Authentication

API key types and how to authenticate requests

Last updated: May 19, 2026

API Key Types

SessionSight uses two types of API keys:

Key Type	Prefix	Where to Use	Security
Public	`sessionsight_pub_...`	Client-side (browser)	Safe to expose
Secret	`sessionsight_sec_...`	Server-side only	Must stay secret

Public API Key

Used by the Insights and Split Testing SDKs for sending data from the browser. It’s safe to include in client-side code because it can only write session and experiment data to your property.

Secret API Key

Used for server-side operations: goal tracking, feature flag evaluation, and reading data from the API. Never expose this key in client-side code.

Authenticating Requests

Include your API key in the x-api-key header:

bash

curl -X GET "https://api.sessionsight.com/v1/sessions?propertyId=YOUR_PROPERTY_ID" \
  -H "x-api-key: YOUR_SECRET_API_KEY"

Which Key for Which Endpoint

Endpoint	Key Type
`GET /v1/split-testing/config`	Public
`POST /v1/split-testing/expose`	Public
`POST /v1/goals/increment`	Secret
`POST /v1/goals/decrement`	Secret
`POST /v1/flags/evaluate`	Secret
`GET /v1/flags/list`	Secret
`POST /v1/feedback/submit`	Secret

Managing API Keys

You can create, view, and delete API keys from the API Keys page in the dashboard, or use the API key selector in the navigation bar above to auto-fill keys into code examples.