Key Types
| Key Type | Use Case | Security | Example Usage |
|---|
| Publishable Key | Client-side SDK initialization | Safe to expose | Browser apps, game clients |
| Secret Key | Server-side operations | Keep private | Backend minting, admin operations |
Publishable Key
import { config } from '@imtbl/sdk';
const baseConfig = {
environment: config.Environment.SANDBOX,
publishableKey: 'pk_imapik-your-publishable-key',
};
- SDK initialization
- Client-side API calls
- Passport authentication
Secret Key
// Server-side only
const headers = {
'x-immutable-api-key': process.env.IMX_SECRET_KEY,
};
const response = await fetch('https://api.immutable.com/v1/mint', {
method: 'POST',
headers,
body: JSON.stringify(mintRequest),
});
- Minting NFTs
- Admin operations
- Webhook verification
- Any operation that modifies on-chain state
Never expose your Secret API Key in:
- Client-side JavaScript/TypeScript
- Mobile app code
- Public Git repositories
- Browser developer tools
Use environment variables on your server. Key Rotation
Rotate keys in Hub: Settings → API Keys → Rotate Key
Old key invalidates immediately
Rotate immediately if exposed
Environment-Specific Keys
Each environment has its own keys:
| Environment | Publishable Key Prefix | Chain |
|---|
| Sandbox | pk_imapik-sandbox-... | Immutable zkEVM Testnet |
| Production | pk_imapik-... | Immutable zkEVM Mainnet |
Next Steps
