Keys & Environments
vouchID integrations use two different keys. Understanding where each key is safe to use is the most important part of a secure integration.
Key Types
Platform Key (Public)
- Used to initialize the widget (iframe URL / SDK configuration).
- Safe to use in frontend code.
- Format example:
pub_platform_...
Application API Key (Secret)
- Used by your backend to call vouchID APIs (for example, token validation).
- Never expose this key in the browser, mobile clients, or public repos.
- Format example:
vouch_test_...orvouch_live_...
Where To Find Keys
Keys are managed in the vouchID Console at console.vouchid.co. Create an organization and an application to view your Platform Key (public) and generate an Application API Key (secret).
If your account is in a gated/beta state and you don't see keys, contact support to be provisioned.
Environments
- Use test keys during development and staging (
vouch_test_). - Use live keys in production (
vouch_live_). - Keep separate keys per application/environment to simplify rotation and access control.
Recommended Environment Variables
# Public platform key (safe for frontend)
NEXT_PUBLIC_VOUCHID_PLATFORM_KEY=pub_platform_...
# Secret application API key (backend only)
VOUCHID_API_KEY=vouch_test_...Local Development Notes
- The widget runs locally at
http://localhost:3003(seeapps/widget/package.json). - If you validate
postMessageorigins in your app, allowhttp://localhost:3003in development andhttps://widget.vouchid.coin production. - Always set
parentOriginto your site origin when embedding the iframe so the widget can safely post messages back to you.