API keys
Your support page authenticates to the backend with a site-scoped publishable key. One active key per site. Keys are prefixed pk_ and stored as SHA-256 hashes: once created, the plaintext is shown exactly once and never recoverable.
Why site-scoped
The key carries the site's identity. Every request with a pk_ key is implicitly filtered by site at the database layer: a key for acme-app cannot read tickets, articles, or FAQs from acme-marketing, even if the URL says otherwise. The CORS origin allowlist is also bound to the site, so a leaked key from one product can't be used from a different domain.
Publishable by design
The key ships in your browser bundle, like a Stripe publishable key. That is safe because the key can only read published content and submit tickets, the origin allowlist blocks other domains, and per-site rate limits cap abuse. It cannot touch agent-side data: dashboards, members, settings, and drafts all require a session.
Format
pk_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0
pk_ plus 43 url-safe base64 characters, 46 characters total. The backend identifies the key by its hash, not its prefix.
Creating and rotating
Keys live in the dashboard under Websites, your site. The key is revealed once at creation; copy it into your env file right away. Rotating issues a new key and invalidates the previous one immediately. There is no grace window: deploy the new key first, then rotate.
Using the key
Pass the key in the X-Vicket-Key header on any /support/v1/... endpoint:
curl https://api.vicket.app/support/v1/help/articles \
-H "X-Vicket-Key: pk_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0"
The scaffolded support-client.ts does this for you, reading the key from your env.
Never expose a session
The session cookie used by the dashboard carries org permissions. It must never appear in client-side code outside the dashboard, and there is no way to convert a pk_ key into a session. If you need server-to-server access to agent-side endpoints, open an issue: machine credentials are on the roadmap.
Next
- The full auth model: api-authentication.
- Endpoints that accept
pk_keys: api-endpoints.