Two-Tier Authentication

Pushary uses a two-tier authentication system for security:

Site Key (Client-Side)

Format: pk_xxxxxxxxxxxxxxxx
Use: Client SDK in browser
Security: Public, domain-validated
Rate limit: Based on plan

import { createPushary } from '@pushary/sdk'

createPushary({
  siteKey: 'pk_abc123def456',
})

Full API Key (Server-Side)

Format: pk_xxxxxxxxxxxxxxxx.sk_xxxxxxxxxxxxxxxx
Use: Server SDK and API calls
Security: Secret, never expose in browser
Rate limit: Higher limits for server-to-server

import { createPusharyServer } from '@pushary/server'

createPusharyServer({
  apiKey: 'pk_abc123def456.sk_secret789xyz',
})

Key Generation

When you create a site, you receive:

Site Key - The pk_xxx portion, displayed in dashboard
Full API Key - The pk_xxx.sk_xxx combination, shown only once

If you lose your full API key, you'll need to regenerate it from the dashboard.

Security Best Practices

Do

Store API keys in environment variables
Use the server SDK only in backend code
Rotate keys if compromised
Use different API keys for development/production

Don't

Expose full API key in client-side code
Commit API keys to version control
Share API keys in public channels
Use API keys in browser-bundled code

HTTP Authentication

When making direct API calls, use Bearer authentication:

curl -X POST https://pushary.com/api/v1/server/send \
  -H "Authorization: Bearer pk_xxx.sk_xxx" \
  -H "Content-Type: application/json" \
  -d '{"title": "Hello", "body": "World"}'

Domain Validation

The Site Key is validated against your registered domain. This prevents unauthorized usage of your key on other websites.

Localhost domains are allowed during development.

Two-Tier Authentication

Pushary uses a two-tier authentication system for security:

Site Key (Client-Side)

Format: pk_xxxxxxxxxxxxxxxx
Use: Client SDK in browser
Security: Public, domain-validated
Rate limit: Based on plan

import { createPushary } from '@pushary/sdk'

createPushary({
  siteKey: 'pk_abc123def456',
})

Full API Key (Server-Side)

Format: pk_xxxxxxxxxxxxxxxx.sk_xxxxxxxxxxxxxxxx
Use: Server SDK and API calls
Security: Secret, never expose in browser
Rate limit: Higher limits for server-to-server

import { createPusharyServer } from '@pushary/server'

createPusharyServer({
  apiKey: 'pk_abc123def456.sk_secret789xyz',
})

Key Generation

When you create a site, you receive:

Site Key - The pk_xxx portion, displayed in dashboard
Full API Key - The pk_xxx.sk_xxx combination, shown only once

If you lose your full API key, you'll need to regenerate it from the dashboard.

Security Best Practices

Do

Store API keys in environment variables
Use the server SDK only in backend code
Rotate keys if compromised
Use different API keys for development/production

Don't

Expose full API key in client-side code
Commit API keys to version control
Share API keys in public channels
Use API keys in browser-bundled code

HTTP Authentication

When making direct API calls, use Bearer authentication:

curl -X POST https://pushary.com/api/v1/server/send \
  -H "Authorization: Bearer pk_xxx.sk_xxx" \
  -H "Content-Type: application/json" \
  -d '{"title": "Hello", "body": "World"}'

Domain Validation

The Site Key is validated against your registered domain. This prevents unauthorized usage of your key on other websites.

Localhost domains are allowed during development.

Authentication

Two-Tier Authentication

Site Key (Client-Side)

Full API Key (Server-Side)

Key Generation

Security Best Practices

Do

Don't

HTTP Authentication

Domain Validation

On this page

Authentication

Two-Tier Authentication

Site Key (Client-Side)

Full API Key (Server-Side)

Key Generation

Security Best Practices

Do

Don't

HTTP Authentication

Domain Validation

On this page