API Keys
Gro uses API keys for authentication. There are two types of keys for different use cases.
Key Types
Section titled “Key Types”| Type | Purpose | Safe to Expose? |
|---|---|---|
| SDK | Browser-based tracking SDK | Yes — scoped to tracking only |
| API | Server-to-server API calls | No — keep secret on your server |
SDK Keys
Section titled “SDK Keys”Used by the Gro JavaScript tracking SDK in your storefront. These keys can only submit tracking events and cannot access the backend API. It’s safe to include them in client-side code.
API Keys
Section titled “API Keys”Used for server-to-server integrations. These keys can authenticate backend API requests and should be kept secret. Required for programmatic access to the Gro API.
Key Format
Section titled “Key Format”gro_{mode}_{accountId}_{random}_{hmac}- Mode:
testorlive - Account ID: identifies which account the key belongs to
- Random: unique random string
- HMAC: signature for edge validation
Managing Keys
Section titled “Managing Keys”Navigate to Settings → API Keys in the Gro dashboard to:
- Generate new SDK or API keys
- View existing keys (the full key is shown only once at creation)
- Revoke keys that are no longer needed
- Track key usage
Using API Keys
Section titled “Using API Keys”SDK Key (Browser)
Section titled “SDK Key (Browser)”Include in your tracking SDK initialisation:
gro.init('gro_live_acc123_xK9p2nZ4s_a7f3c2b')API Key (Server)
Section titled “API Key (Server)”Pass as a Bearer token in the Authorization header:
curl -H "Authorization: Bearer gro_live_acc123_xK9p2nZ4s_a7f3c2b" \ https://api.gro.xyz/api/...For full API documentation, see the API Reference.