error.page docs

Projects & API keys

How projects, API keys and secret keys work, and how to rotate them.

A project is a single website or application you monitor. Everything in error.page — incidents, branded pages, webhooks, AI keys, custom domains — belongs to a project, and projects belong to your account only. You never see another account's data, and they never see yours.

Keys

Each project has two keys:

  • API key (ep_…) — public. It identifies your project in the SDK snippet and in ingest requests. It's safe to include in client-side code.
  • Secret key (eps_…) — private. Used to authenticate server-side ingestion when you enable secret-key enforcement. Never expose it in the browser.

Find both under Projects in the dashboard.

Secret-key enforcement

By default any request bearing your API key can report an error. If you ingest errors server-side, you can require the secret key as well: enable enforce secret key on the project and send it as the X-Secret-Key header. Requests without a valid secret are then rejected.

Origin allowlist

Your API key is public by design — it ships in the browser SDK, so anyone viewing your page can read it. That's expected (it identifies your project, like a Sentry DSN), but it means someone could copy it and send forged error reports.

To blunt this, set an origin allowlist under a project's Security & settings. List the hosts your SDK legitimately runs on, one per line:

app.yourcompany.com
*.yourcompany.com

When an allowlist is set, browser ingest is accepted only when the request's Origin (or Referer) matches — by exact host or a *.domain wildcard. Leave it empty to allow any origin.

A caveat worth understanding: the Origin header is enforced by browsers, so a non-browser client (like curl) can spoof it. The allowlist therefore stops casual and cross-site abuse, not a determined scripted attacker. For that, combine it with:

  • secret-key enforcement for server-side reporting (below), and
  • the built-in rate limits, which cap how much any single origin can send regardless of plan.

For the strongest protection — cryptographic proof that a report came from your own app — enable hardened ingest, which verifies short-lived signed tokens your server mints.

Usage & limits

Each project tracks how many errors it has ingested in the current calendar month. On the Free plan a project is capped (500 errors/month); paid plans are unlimited. The counter resets automatically at the start of each month — you don't need to do anything.

See Plans & billing for the limits per tier.

Creating and deleting

  • Free accounts can create one project. Upgrade for unlimited projects.
  • Deleting a project permanently removes its incidents, branded page, webhooks, AI keys and custom domains. This can't be undone.

Rotating keys

If a key leaks, delete the project and recreate it, or contact support to rotate in place. Rotating invalidates the old key immediately, so update your SDK snippet at the same time.