Project ID & tokens
Each project exposes a few identifiers and tokens. Use the right one for the right job — and never put secret tokens in front‑end code.
| Name | Where it's used | Secret? |
|---|---|---|
Project ID (proj_…) | Internal identifier shown in Settings. | No |
Project Public ID (e.g. SEF-284-BKR4) | Embedded in hosted SDK URLs so customers never see internal IDs. | No |
| Publishable browser token | Sent by the Website SDK with each event. Safe to ship in the browser. | No (publishable) |
| Project token (server) | Server‑to‑server ingestion and admin API calls. | Yes — keep private |
Where to find them
Open Settings → SDK / Install and Settings → Project. The SDK install
panel pre‑bakes your Project Public ID and publishable browser token into
a ready‑to‑paste <script> tag — you normally never copy the token by hand.
Publishable vs. secret
- The publishable browser token is designed to be public. It can only do one thing: send events for its project. Abuse is further limited by your Allowed website domains.
- The project (server) token can read and administer project data. Treat it like a password: store it in server‑side environment variables only, never in browser code or a public repo.
Do not paste the server project token into HTML, JavaScript bundles, mobile apps, or anything a user can view. If a secret token leaks, rotate it under Settings → Project → API keys.
Rotating tokens
Rotate a token under Settings → Project → API keys. For the publishable browser token, the hosted SDK bundle picks up the new token within a few minutes (the script is cached for ~5 minutes). For server tokens, update your environment variables immediately after rotating.