API keys & encryption
Your API key authenticates your widget and any direct API calls to Promptly. Treat it like a password.
What an API key looks like
Every key starts with the
pk_pk_8sJd...Shown once — copy it immediately
For security, your full API key is shown only once, at the moment it is created or regenerated. After you leave the page it is no longer displayed; the dashboard shows a masked placeholder instead. If you lose it, you cannot retrieve the old value — you regenerate to get a new one.
You manage your key under Settings → API keys.
🖼️ [Image] — The API keys page showing the masked key and the "Regenerate Key" button.
Regenerating a key
Click Regenerate Key to issue a brand-new key and reveal it once. Regenerating immediately invalidates the previous key. Any widget or integration still using the old key will stop working until you update it, so regenerate when:
- a key may have leaked or been committed to a public repo, or
- you are rotating credentials as routine hygiene.
🎬 [Video] — Regenerating an API key, copying the new value, and updating the embed snippet.
Using the key in the embed snippet
The widget reads the key from a
data-api-keyX-Api-KeyEncryption at rest
Sensitive secrets that Promptly stores on your behalf are encrypted at rest using AES-256 (AES-256-CBC with a unique random initialization vector per value). This applies to the connection string for a dedicated database (see Data isolation & storage modes) — that credential is never stored in plain text.
Keep keys secret
Never share your key in screenshots, support tickets, or client-side code beyond the official embed snippet. If you suspect exposure, regenerate immediately. Key regenerations and other sensitive account actions are recorded — see the audit log.