stubkit docs

Setup · Required before SDK calls

API keys

Stubkit has two key formats. Use the right one for each surface — mixing them up is the second most common onboarding mistake (first is Apple’s two-key system).

FormatWhere to useScopes
pk_live_...Mobile / web SDK running on end-user devices. Safe to ship in client bundles.read:entitlement, write:purchases, track:events
sk_live_...Your own backend only. Never ship to client devices. Used for admin API calls (create apps, sync products, etc.).admin:*

Test mode: every key has a twin with a _test_ infix (pk_test_..., sk_test_...) that writes to a sandbox scope with separate subscriptions and events. Swap them in staging.

Create a key

  1. Sign in to app.stubkit.com.
  2. Left nav → API Keys.
  3. Click New key. Pick type:
    • Publishable for mobile/web SDK usage. Default scopes are read-only entitlement + purchase sync.
    • Secret for server-side admin operations. Required if you plan to call stubkit from your own backend.
  4. Give it a name (e.g. ios-app, backend-cron) so you can revoke a specific one later without touching others.
  5. Copy the key immediately — the full value is only shown once. Store it in your build environment (iOS xcconfig, Android local.properties, .env) — never check into git.

Using pk_live_ in the SDK

import { StubkitClient } from '@stubkit/js';

const stubkit = new StubkitClient({
  appId: 'your-app-id',
  publishableKey: 'pk_live_xxxxxxxxxxxxxxxxxxxxxxxxxx',
  getAuthToken: async () => await authProvider.currentAccessToken(),
});

const isPro = await stubkit.isActive(userId, 'pro');

See the Tenant JWT guide for what getAuthToken should return.

Using sk_live_ from your backend

// Node / Deno / any server runtime
await fetch('https://api.stubkit.com/v1/admin/apps', {
  headers: {
    'Authorization': 'Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxx',
  },
});

Rate limits

  • pk_live_ keys: 30 000 req/min per key.
  • sk_live_ keys and dashboard sessions: 12 000 req/min.
  • Unauth IP: 600 req/min.

Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, Retry-After.

Rotating a key

  1. Create a new key with the same scopes + name.
  2. Deploy the new key to your clients / backends.
  3. Once traffic has moved (check last-seen timestamp on the API Keys page), Revoke the old one.

Revoking is immediate. No other keys are affected.