Three types of API key
Publishable, secret, dev — and where each one belongs in your stack.
Every Sheepit project has three kinds of API key. They look similar — they all start with sp_ — but their permissions are very different. The prefix after sp_ tells you which is which.
Publishable — sp_pub_…
The client-side key. Safe to embed in your browser bundle, your mobile app, anywhere a user can see it. Can read flag config and send events. Cannot read your data, manage flags, or touch admin endpoints. This is the only key that belongs in NEXT_PUBLIC_ env vars.
Secret — sp_sec_…
The server-side key. Full access to everything in the project. Server SDKs use it. Background jobs use it. CI uses it. Never, ever ship it client-side — if it leaks, rotate immediately.
Dev — sp_dev_…
The developer / CLI key. Read-only access to schemas and definitions. Powers the @sheepit-ai/cli for codegen. Safe in your shell, your CI secrets, your scripts. Cannot read your data and cannot write anything.
Rotation
Generate a new key, deploy code using the new one, revoke the old. Sheepit shows the last-seen time for every key so you know whether anyone's still using the old one before you pull the plug.