API Keys

API keys authenticate your widget and server-side API calls. Each key belongs to a single project.

Creating a key

1. Open your project in the dashboard
2. Go to Settings → API Keys
3. Click + New Key
4. Give it a name (e.g. Production Widget, Backend)
5. Copy the key immediately — it will only be shown once

Key types

Lumifeed currently supports one key type: publishable widget keys. These are safe to embed in client-side code because they can only submit feedback, not read it.

For server-side operations (listing feedback, triggering AI, etc.) use your session cookie via the dashboard OAuth session, or contact support for server-to-server access tokens.

Rotating keys

If a key is compromised:

1. Go to Settings → API Keys
2. Click Revoke next to the old key
3. Create a new key
4. Update your widget configuration

Allowed origins

Widget keys are embedded in plain HTML — they're public by design, just like Stripe's publishable key or a Google Maps API key. They can only submit feedback, never read it.

For an extra layer of protection you can lock a key to specific domains. Requests from any unlisted origin will be rejected with a 401.

To set allowed origins:

1. Go to Settings → API Keys
2. Click the edit icon next to a key
3. Enter one hostname per line (no https://, no trailing slash):

   myapp.com
   staging.myapp.com

4. Save — the change takes effect immediately

Matching rules:

Subdomains are automatically covered — adding myapp.com also allows app.myapp.com, staging.myapp.com, etc.

Security

• Widget API keys can only submit feedback — they cannot read, update, or delete data
• Use environment variables to avoid hardcoding keys in source control: NEXT_PUBLIC_LUMIFEED_KEY (client-side), LUMIFEED_KEY (server-side)
• Keys are rate-limited: 10 submissions per minute per key (configurable on paid plans)
• Use allowed origins to restrict which domains can use a key in production