Settings — API Keys
The API Keys tab in Settings is where you create and manage the credentials your application uses to send data to SimpleLogs.
Key pairs
Each API key you create is actually a key pair: one server key and one client key. They share the same name but serve different roles:
| Key type | Used in | Authentication model |
|---|---|---|
| Server key | Server-side code (Node.js, Edge, Workers) | Trusted — no origin check |
| Client key | Browser-side code | Restricted to an allowlist of approved origins |
The server and client keys have different values. Never expose your server key to browser code — it has no origin restriction and could be used by anyone to write logs to your account.
Keys are displayed in full only once, immediately after creation. Copy them somewhere safe — SimpleLogs only stores a masked preview after that. If you lose a key, revoke it and create a new one.
Creating an API key
Click Create API Key. The form asks for:
Key name (required)
A human-readable label to identify this key (e.g. Production, Staging, Local Dev). Names are 2–80 characters.
Allowed origins (optional, but required to use the client key)
Origins restrict which browser origins are permitted to use the client key. This is a security control that prevents unauthorized websites from writing logs to your account using your client key.
- Enter origins in the format
https://example.comorhttp://localhost:3000 - Wildcard subdomains are supported:
https://*.example.com(matches exactly one subdomain label) - Up to 50 origins per key
- If no origins are added, the client key is disabled. The server key is not affected.
After submitting, the next screen shows the full client and server key values. Copy them now — you will not be able to retrieve the full values again.
Managing existing keys
The keys table shows all keys ordered by creation date, with their masked preview values, creation date, and last-used date.
Click any row to expand it and see the Allowed Origins for that key.
Actions (⋮ menu)
| Action | Description |
|---|---|
| Rename | Update the display name of the key |
| Edit Origins | Add or remove allowed origins for the client key |
| Revoke | Permanently disable the key — all requests using it will be rejected |
Revoking a key
Revocation is immediate and permanent. Any code still using the revoked key will receive 401 Unauthorized responses. Revoked keys remain visible in the table (shown as "Revoked") so you have a record of what existed.
Origin allowlist security model
When a browser sends a request to the SimpleLogs ingestion endpoint using a client key, SimpleLogs checks the Origin header against the key's allowlist:
- If the origin matches (exact match or wildcard match), the request is accepted
- If the origin does not match, the request is rejected with
403 Forbiddenand the blocked origin is recorded - If no origins are configured, all client key requests are rejected
Blocked origin counts appear on the Dashboard so you can detect misconfigured keys.
Wildcard rules
The wildcard * matches exactly one subdomain label and no dots:
| Pattern | Matches | Does not match |
|---|---|---|
https://*.example.com | https://app.example.com | https://sub.app.example.com |
https://*.example.com | https://staging.example.com | https://example.com |
Overly broad wildcards like https://*.com are not accepted.