> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://docs.schematichq.com/llms.txt.
> For full documentation content, see https://docs.schematichq.com/llms-full.txt.

# Authentication

The Schematic API uses API keys to authenticate requests. You can view and manage all of your API keys within your Settings page.

*Secret Keys* are used only for server-side integrations. These keys are meant to be confidential, so they should not be used on clients.

*Publishable Keys* are used in applications and websites to submit identify and track calls, as well as perform client-side feature evaluations. They can be embedded in your application and website.

API keys are environment scoped and Secret Keys are namespaced accordingly:

* Production environments will have the prefix sch\_prod
* Staging environments will have the prefix sch\_stag
* Development environments will have the prefix sch\_dev

All API requests must be made over HTTPS. API requests without authentication will also fail.

### Readonly API Keys

API keys can optionally be created as **readonly**. Readonly keys can access any non-mutative part of the API, including flag checks and GET requests, but cannot perform write operations. Readonly keys cannot submit events; while the event collector will accept events from readonly keys, those events will appear in your instance in an error state indicating that a readonly key was used.

Readonly is set at creation time via the "Read-only" toggle in the Create API Key dialog and cannot be changed after the key is created.