How to generate an API key

Before You Start

To generate an API key in MsgGO, you need:

  • A MsgGO account
  • Administrator privileges for your organization

Private API keys

Private keys are meant to be used in backend systems such as:

  • Servers
  • CI/CD pipelines
  • Cloud functions

They should never be exposed to users or included in frontend code.

Features of private API keys:

  • No domain restrictions
  • No rate limits
  • Best suited for internal services and secured environments

Public API keys

Public keys are designed for frontend applications, such as:

  • websites
  • mobile apps
  • public web forms

These keys are visible to the user, so domain restrictions are enforced to prevent abuse.

Features of public API keys:

  • Must be used only from allowed domains
  • Requests from unknown domains are rejected
  • Have rate limits:
    • Max 5 events per minute per IP address
    • Exceeding this temporarily blocks the IP for 5 minutes
  • Anonymous requests (no IP or origin) are blocked

How to exceed rate limits in frontend (proxy strategy)

If you need to send more than 5 requests per minute from a frontend (browser or mobile app), you should not use a public API key directly. Instead:

  1. Create a proxy endpoint in your backend (e.g., /api/msggo)
  2. Use a private API key in your backend to communicate with MsgGO
  3. Let your frontend send requests to your proxy

This keeps your private key safe and avoids public rate limits.

How to create an API key

  1. Log in to your MsgGO account
  2. Click on "API Keys" in the left sidebar
  3. Click "New private key" or "New public key"
  4. Add a description for your key (recommended)
  5. For public keys, make sure to define at least one allowed domain

Best Practices for API Key Management

Adding Descriptions

Always add clear descriptions to your API keys to help identify their purpose. Good examples include:

  • "Production API Key for Team Alpha"
  • "Development Pipeline Key"
  • "Testing Environment Key"

Security Guidelines

  • Never share your API keys with unauthorized persons
  • Store keys securely in environment variables or secure vaults
  • Rotate keys periodically for better security
  • Remove unused keys promptly

Organization Tips

  • Create separate keys for different environments (development, staging, production)
  • Use different keys for different teams or projects
  • Keep track of where each key is being used
  • Stay under the 100 key limit by removing unused keys

Key Limitations

  • Each organization can have up to 100 API keys
  • Keys cannot be temporarily disabled (only deleted)
  • Keys do not expire automatically
  • Keys cannot be restricted to specific events or targets

Next Steps

After generating your API key, you can: