Docs
API keys
Keys authenticate every call to Vertex. Treat live keys like passwords: scope them tightly, rotate them on a schedule, and never ship them in client bundles unless they are publishable.
Key types
vx_live_ keys write real data and count against quota. vx_test_ keys write to a scratch environment wiped nightly — use them in CI and staging.
The key embedded in the browser snippet is publishable: it can only submit events, never read data, so exposing it in HTML is safe by design.
Scopes
Every key carries one or more scopes. write:events is the only scope a publishable key can hold. read:reports allows exporting funnels and retention data. admin:keys can mint and revoke other keys — give it to your infrastructure tooling only.
# Create a narrowly-scoped key for a data pipeline
vertex keys create \
--name etl-export \
--scope read:reports \
--expires 90dRotate keys
Rotation issues a replacement and starts a grace period on the old key, so deploys can roll gradually. The old key keeps working for 24 hours (configurable up to 7 days), then returns 401.
Rotate immediately if a key ever lands in a log file, a screenshot or a public repository.
curl -X POST https://api.lorem.example/v1/keys/key_lorem42/rotate \
-H "Authorization: Bearer $VERTEX_ADMIN_KEY" \
-d '{"graceHours": 24}'Best practices
One key per deploy target — never share a key between staging and production. Set expiry dates on everything except the publishable snippet key. Audit the key list quarterly and revoke anything you cannot name the owner of.