API Authentication

Learn how to authenticate requests to the Emp-Mix HTTP API.

Overview

The Emp-Mix API relies on two different keys depending on the endpoint you are accessing. You can find both of these keys in your Dashboard under Project Settings > API Keys.

1. Public API Key

Used exclusively for ingestion endpoints (e.g., tracking an event, identifying a user). These endpoints are designed to be hit directly from client devices, so passing the key in the JSON payload is the standard method.

{
  "apiKey": "pk_1234567890",
  "event": "Button Clicked"
}

2. Secret API Key

Used for privileged, server-to-server operations like querying raw data, exporting users, or deleting records. The Secret Key must be passed in the x-api-key HTTP header.

curl -X GET "https://api.empmix.com/public/events" \
  -H "x-api-key: sk_0987654321"
🚨
Security Warning
Never expose your Secret Key in client-side code, public repositories, or mobile applications. If your Secret Key is compromised, rotate it immediately in the dashboard.

Cross-Origin Resource Sharing (CORS)

All ingestion endpoints (those requiring the Public API Key) support Cross-Origin Resource Sharing (CORS), allowing you to make requests directly from any web browser.

Endpoints requiring the Secret Key do not support CORS. They will explicitly reject preflight OPTIONS requests to prevent accidental client-side usage of Secret Keys.

Last updated on June 4, 2026