# API Keys

> Learn what API keys are and how to use them.

Every request to the WinWinKit API requires an API key. Use it with any of the SDKs, or to call the REST API directly.

Keys are scoped to a single project — switching projects in the dashboard switches which keys you see.

## Key Types

- **Client API Keys** — for use inside client-facing apps (iOS, Android, web). Scoped to the endpoints a client legitimately needs — registering users, claiming codes, reading reward state — can't be used for privileged actions.
- **Secret API Keys** — grant access to every API endpoint. Currently available only to a select set of apps.

## Generate an API key

1. [Sign in](https://app.winwinkit.com/) and select your project.
2. Open **Settings** → **Integrations** → **API Keys**.
3. Click **+ New API Key**.
4. Give the key a descriptive name (e.g. `iOS app`, `Android app`, `Backend`).
5. Copy the generated key — you'll pass it to the SDK or include it in REST API requests.

<Tip>
  Create a separate key per client (iOS, Android, web, backend). Naming keys by
  client makes it easy to rotate one without affecting the others.
</Tip>

## Security

- **Keep Secret keys out of source control.** Server-side keys belong in environment variables or secret managers. Client API Keys can sit in client source code — they ship in the binary regardless.
- **One key per environment.** Keep production and staging keys separate so you can rotate one without disrupting the other.
- **Rotate when compromised.** If a key leaks, create a new one, roll it out to your clients, then delete the old one from the dashboard.
- **Revoke unused keys.** Deleting a key in the dashboard invalidates it immediately.