Access Keys
DYPAI projects expose a small set of keys and tokens for different contexts. The most important rule is simple:
- use
jwtfor user-facing app flows - use the project
API Keyonly for server-to-server calls - treat
service_roleas internal/admin-only
Treat all keys like passwords. Never expose project API keys or service-role credentials in browser code, public repositories, or NEXT_PUBLIC_* variables.
The Three Access Credentials
API Key
Use the project API Key for endpoints configured with auth_mode: "api_key".
- Sent via the
X-API-KEYheader - Accepted only on endpoints explicitly configured with
auth_mode: "api_key" - Intended for server-side environments only
- Best for backend jobs, workers, cron tasks, Route Handlers, and server-to-server integrations
- Not for browser or mobile clients
Service Role Key
This is an internal high-privilege credential.
- Sent via
Authorization: Bearer <key> - Grants internal
service_roleaccess - Reserved for trusted backend infrastructure, admin internals, migrations, or private tooling
- Not part of normal app design
- Never expose it outside a secure server context
MCP Token
Use the MCP token to connect AI IDEs such as Cursor or Claude Desktop to your project.
- Used in MCP configuration
- Lets your AI assistant inspect and operate on project resources
- Found in Access β MCP Tokens
Which One Should I Use?
| Credential | Where to use it | Header | Typical use case |
|---|---|---|---|
| JWT session | Browser or mobile app | Authorization: Bearer <user-token> | Signed-in user flows |
| API Key | Server-side code only | X-API-KEY | Server-to-server endpoints |
| Service Role Key | Internal backend only | Authorization: Bearer <key> | Internal admin/system operations |
| MCP Token | IDE MCP config | MCP config | AI IDE connection |
Using The SDK
User-facing app
For browser or app authentication, initialize the SDK with only your project URL:
import { createClient } from '@dypai-ai/client-sdk'
const dypai = createClient(process.env.NEXT_PUBLIC_DYPAI_URL!)
This is the normal setup for:
- login
- signup
- password recovery
- calling
jwtendpoints from the UI
Server-side app
If you need to call api_key endpoints from backend code:
import { createClient } from '@dypai-ai/client-sdk'
const dypaiServer = createClient(
process.env.DYPAI_URL!,
process.env.DYPAI_API_KEY
)
Store keys in server-only environment variables and never hardcode them in source files.
# .env
DYPAI_URL=https://your-project.dypai.app
DYPAI_API_KEY=your-project-api-key
DYPAI_SERVICE_KEY=your-internal-service-key
Recommended Usage Pattern
For most projects:
- Use
jwtfor user-facing endpoints and screens. - Use
api_keyonly for backend-only automation or integrations. - Keep
service_roleout of normal application architecture.
If you start with backend automation before user auth is ready, using api_key endpoints first is fine. When user-facing flows arrive, add jwt endpoints for those app actions.
Security Best Practices
- Never expose the project API Key in browser code
- Never put
DYPAI_API_KEYinNEXT_PUBLIC_*or similar public env vars - Reserve the Service Role Key for internal backend processes only
- Rotate keys if you suspect compromise
- Add
.envto.gitignore
Next Steps
- Authentication β Understand user auth, roles, and endpoint protection
- Endpoints β Build and expose your own API endpoints
- SDK Auth β Implement login, signup, and recovery flows