API keys are used to authenticate requests to the Stigg GraphQL API. Each environment in your Stigg account has its own set of API keys.
Key types
Stigg provides two types of API keys per environment:
| Key type | Prefix | Usage | Security |
|---|
| Full access key | server- | Backend integrations and server-side SDKs | Must be kept secret — never expose in client-side code |
| Publishable key | client- | Frontend integrations and client-side SDKs | Safe to use in browser and mobile apps |
Full access keys provide full access to your Stigg environment. Never expose them in client-side code, public repositories, or frontend bundles. Use environment variables to store them securely.
Finding your API keys
- Log in to the Stigg Console
- Go to Integrations > API Keys
Each environment (Production, Staging, Development) has its own full access and publishable keys.
Using API keys
Include your API key in the X-API-Key header with every request:
curl -X POST https://api.stigg.io/graphql \
-H "Content-Type: application/json" \
-H "X-API-Key: YOUR_API_KEY" \
-d '{"query": "{ customers { edges { node { customerId name } } } }"}'
Backend SDKs
When initializing a backend SDK, use the full access key:
import Stigg from '@stigg/node-server-sdk';
const stigg = await Stigg.initialize({
apiKey: process.env.STIGG_SERVER_API_KEY,
});
Frontend SDKs
When initializing a frontend SDK, use the publishable key:
import { StiggProvider } from '@stigg/react-sdk';
<StiggProvider apiKey="client-..." customerId="customer-123">
{children}
</StiggProvider>
Key rotation
Rotating API keys regularly is a security best practice. Stigg supports key rotation with configurable grace periods to prevent service disruption.
Grace period options
| Method | Grace period |
|---|
| Stigg UI | 0–7 days |
| Stigg API | Up to 1 year |
Use the API for longer grace periods if your organization has longer deployment cycles or manages multiple services.
Revoking keys
Only keys with an expiration date can be revoked. Revoking a key immediately invalidates it. Default keys (without an expiration) must be rotated first — this ensures there is always an active key for your environment.
Access control
API key visibility is controlled by role-based access control (RBAC):
| Action | Owner | Member | Read-only |
|---|
| View API key prefix | ✅ | ✅ | ✅ |
| Copy full API key | ✅ | ❌ | ❌ |
Client-side security
For frontend integrations using publishable keys, Stigg supports client-side security to restrict which domains can make requests with your publishable key. This can be configured per environment in the Settings page. 
