Projects & API keys
How projects, API keys and secret keys work, and how to rotate them.
A project is a single website or application you monitor. Everything in error.page — incidents, branded pages, webhooks, AI keys, custom domains — belongs to a project, and projects belong to your account only. You never see another account's data, and they never see yours.
Keys
Each project has two keys:
- API key (
ep_…) — public. It identifies your project in the SDK snippet and in ingest requests. It's safe to include in client-side code. - Secret key (
eps_…) — private. Used to authenticate server-side ingestion when you enable secret-key enforcement. Never expose it in the browser.
Find both under Projects in the dashboard.
Secret-key enforcement
By default any request bearing your API key can report an error. If you ingest errors server-side, you can require the secret key as well: enable enforce secret key on the project and send it as the X-Secret-Key header. Requests without a valid secret are then rejected.
Origin allowlist
Your API key is public by design — it ships in the browser SDK, so anyone viewing your page can read it. That's expected (it identifies your project, like a Sentry DSN), but it means someone could copy it and send forged error reports.
To blunt this, set an origin allowlist under a project's Security & settings. List the hosts your SDK legitimately runs on, one per line:
app.yourcompany.com
*.yourcompany.com
When an allowlist is set, browser ingest is accepted only when the request's Origin (or Referer) matches — by exact host or a *.domain wildcard. Leave it empty to allow any origin.
A caveat worth understanding: the Origin header is enforced by browsers, so a non-browser client (like curl) can spoof it. The allowlist therefore stops casual and cross-site abuse, not a determined scripted attacker. For that, combine it with:
- secret-key enforcement for server-side reporting (below), and
- the built-in rate limits, which cap how much any single origin can send regardless of plan.
For the strongest protection — cryptographic proof that a report came from your own app — enable hardened ingest, which verifies short-lived signed tokens your server mints.
Usage & limits
Each project tracks how many errors it has ingested in the current calendar month. On the Free plan a project is capped (500 errors/month); paid plans are unlimited. The counter resets automatically at the start of each month — you don't need to do anything.
See Plans & billing for the limits per tier.
Creating and deleting
- Free accounts can create one project. Upgrade for unlimited projects.
- Deleting a project permanently removes its incidents, branded page, webhooks, AI keys and custom domains. This can't be undone.
Rotating keys
If a key leaks, delete the project and recreate it, or contact support to rotate in place. Rotating invalidates the old key immediately, so update your SDK snippet at the same time.