Security
API keys — secret & public keys
Kreo has two kinds of API key, each protected differently by Kreo Sys Security. Secret keys live on your server and can be sealed with HMAC request signing; public keys ship in the browser and are contained by origin locking, least-privilege scopes and anomaly detection.
Secret keys
Use secret keys (ksk_live_…) server-side only. Enable request signing to prove possession without ever transmitting the secret, with timestamp and nonce protection against replay.
Public keys
Public keys (kpk_live_…) are safe to embed in a frontend: they are locked to your registered site, limited to the exact tables and operations you allow, and rate-limited per key and per IP. A leaked key is detected and auto-banned.