Authentication
All API requests require authentication via a Bearer token in the Authorization header. LogStitch supports multiple key types, each with different scopes and intended uses.
API Key Types#
LogStitch issues two types of API keys, each with different permission scopes.
- Master keys (
mk_) — Full access to your organization. Create and revoke project keys, manage redaction rules, and perform all administrative operations. Created automatically during organization setup. - Project keys (
pk_) — Ingest events, query events, and create viewer tokens. Scoped to a single project.
Using API Keys#
Pass your API key as a Bearer token in the Authorization header.
cURL
curl https://logstitch.io/api/v1/events \
-H "Authorization: Bearer pk_..." \
-H "Content-Type: application/json"TypeScript SDK
import { LogStitch } from '@logstitch/sdk';
const logstitch = new LogStitch({
projectKey: 'pk_your_key_here',
});
// The SDK sets the Authorization header automatically.
await logstitch.log({
action: 'user.invited',
category: 'team',
actor: { id: 'user_456', type: 'user', name: 'Alice' },
tenant_id: 'acme_corp',
});Viewer Tokens#
Viewer tokens are short-lived JWTs designed for the embeddable log viewer. They carry a vt_ prefix and are the only credential safe to expose in a browser.
- Created server-side using a project key.
- Force-filter all event queries to a single
tenant_id— a tenant can never see another tenant's data. - Default expiry of 1 hour, maximum of 24 hours.
Create a viewer token
const { token } = await logstitch.viewerTokens.create({
tenant_id: 'acme_corp',
expires_in: 3600,
});Key Security#
- Never expose master keys client-side.
- Project keys should only be used server-side.
- Viewer tokens are the only credentials safe for the browser.
- Keys are hashed with SHA-256 — LogStitch never stores plaintext keys.
- Constant-time comparison prevents timing attacks.
Revoked keys
Revoked keys are immediately invalidated. There is no grace period.