Identityidentity.authtoolkit.comStatic preview

Account

Project

Environment

identity.authtoolkit.com

Identity

Access control, credentials, and identity decisions.

Identity

Access control, credentials, and identity decisions

Configure projects, integrations, keys, setup values, and test access checks without needing tenant, credential store, JWT, or response envelope internals.

API URLhttps://identity.authtoolkit.comProject IDproject_identity_demoEnvironmentproduction

Project Settings / API Keys

Project ID maps to tenantId internally: tenant_project_identity_demo

Projects

Project	Project ID	Environments	Integrations	Credentials	Health
Identity Demo Project	project_identity_demo	3	3	5	warning

Integrations

Name	Type	Environment	Status	Integration ID
Identity Web App	web_app	production	active	integration_identity_web_app
Identity Worker	worker	staging	active	integration_identity_worker
Custom API Backend	api_service	development	active	integration_custom_api_backend

Integration ID maps to integrationId internally.

Credentials

Credential actions are static placeholders in this phase.

Name	Kind	Status	Preview	Last used	Warning
Publishable Key	publishable_key	active	pub_...3dmo	2026-06-07T13:10:00.000Z	None
API Key	api_key	active	atk_...8k2p	2026-06-07T13:20:00.000Z	None
Secret Key	secret_key	active	sk_...92qp	2026-06-07T12:40:00.000Z	Backend-only. Do not expose this key in browser code.
Service Role Key	service_role_key	active	srv_...5z1a	Not used yet	Dangerous backend-only key. Never expose this in browser examples.
Webhook Secret	webhook_secret	active	whsec_...44mt	Not used yet	Use only for webhook signature checks.

Service Role Key warning

Backend-only. Never expose service role keys in browser examples or public clients.

Create Credential

Static key creation flow for choosing the right credential type, understanding where it can be used, and previewing safe lifecycle actions.

Credential nameSelected kindEnvironmentIntegration IDExpirationBackend-only confirmed

Choose key type

Publishable KeyFrontend safe

Use this for browser-safe setup values and public client configuration.

Recommended use: Frontend setup and public project identification.

API KeyBackend only

Use this from trusted server-side code to call hosted Identity.

Recommended use: Backend access evaluation requests.

Keep API keys out of browser code.

Backend-only confirmation required.

Secret KeyBackend only

Use this for privileged backend operations that need a stronger secret boundary.

Recommended use: Server-side Identity operations.

Store secret keys in environment variables only.

Backend-only confirmation required.

Service Role KeyDangerous backend only

Use only for provider backend operations that need elevated service access.

Recommended use: Provider backend operations only.

Dangerous key. Never expose in browser apps.

Backend-only confirmation required.

Webhook SecretBackend only

Use this to verify webhook signatures in backend code.

Recommended use: Webhook signature verification.

Only use in trusted webhook handlers.

Backend-only confirmation required.

Expiration

7 days

Short-lived test key.

30 days

Good for temporary launches and trials.

90 days

Recommended default for backend API keys.

Never expires

Use only when rotation is operationally managed.

Safety checklist

Raw secrets are not stored.
Secret values are shown once.
Backend-only keys stay server-side.
Service role keys are dangerous.
Do not paste secret or service role keys into browser code.

Generated Preview

NameBackend API KeyKindapi_keyPreviewatk_...new1EnvironmentproductionIntegration IDintegration_identity_web_appCreated2026-06-07T14:00:00.000Z

This secret is shown once. Store it safely.

Lifecycle Actions

Lifecycle actions are disabled placeholders in this static demo.

Setup

Copy the values your app needs from this static setup guide. It mirrors a hosted project setup page without making live calls or generating credentials.

Project connection

Use these values to point your app at this Identity project.

API URLhttps://identity.authtoolkit.com

Base URL for hosted Identity requests.

Project IDproject_identity_demo

Product-facing ID. Internally this maps to tenantId.

Integration IDintegration_identity_web_app

Product-facing ID. Internally this maps to integrationId.

Environmentproduction

The selected project environment.

Preview only

API version2026-06-07

Version header for predictable hosted Identity behavior.

Keys

Name	Kind	Preview	Usage	Exposure	Warning
Publishable Key	publishable_key	pub_...3dmo	Browser setup and public client configuration.	Frontend safe	None
API Key	api_key	atk_...8k2p	Server-side access evaluation calls.	Backend only	Keep this outside browser code.
Secret Key	secret_key	sk_...92qp	Trusted backend Identity API calls.	Backend only	Store in environment variables only.
Service Role Key	service_role_key	srv_...5z1a	Provider backend operations only.	Dangerous backend only	Dangerous backend-only key. Never expose it in browser apps.
Webhook Secret	webhook_secret	whsec_...44mt	Webhook signature verification.	Backend only	Use only when verifying webhook signatures.

SDK Setup

createIdentityHttpClient({
  apiUrl: process.env.AUTHTOOLKIT_IDENTITY_API_URL,
  apiKey: process.env.AUTHTOOLKIT_IDENTITY_SECRET_KEY,
  apiVersion: process.env.AUTHTOOLKIT_IDENTITY_API_VERSION
})

Environment Variables

AUTHTOOLKIT_IDENTITY_API_URL=https://identity.authtoolkit.com
AUTHTOOLKIT_PROJECT_ID=project_identity_demo
AUTHTOOLKIT_INTEGRATION_ID=integration_identity_web_app
AUTHTOOLKIT_IDENTITY_API_VERSION=2026-06-07
AUTHTOOLKIT_IDENTITY_SECRET_KEY=sk_...92qp

HTTP / curl

curl https://identity.authtoolkit.com/v1/access/evaluate \
  -H 'Authorization: Bearer sk_...92qp' \
  -H 'x-identity-api-version: 2026-06-07' \
  -d '{"projectId":"project_identity_demo","actorId":"actor_demo","action":"document.read"}'

Test Access Sample

Actor IDactor_demo_owner

Actiondocument.read

Resource Typedocument

Resource IDdoc_demo_123

Safety Notes

Project ID maps to tenantId internally. Integration ID maps to integrationId internally.

Only previews are displayed here. Secret values should be stored in backend environment variables.

Test Access

Pick a static scenario to see how Actor, Action, and Resource become an Identity decision. This does not execute a live access evaluation.

Scenarios

Owner can read documentallowed

Owner role can read the selected resource.

Viewer cannot delete documentblocked

Viewer role cannot delete production resources.

Manager action requires reviewreview_required

Sensitive action needs admin review.

Request Preview

Project IDproject_identity_demoIntegration IDintegration_identity_web_appEnvironmentproductionActor IDactor_demo_ownerActiondocument.readResource TypedocumentResource IDdoc_demo_123

Sourcesource: console_demoEnvironmentenvironment: productionIntegration IDintegrationId: integration_identity_web_app

Project ID maps to tenantId internally. Integration ID maps to integrationId internally.

Result

allowed

AllowedtrueDecision IDdecision_identity_allowedTrace IDtrace_identity_allowedAudit Event IDaudit_identity_allowedSafe error codenone

Owner role can read the selected resource.

Troubleshooting

Check actor role

Confirm the actor has the expected role for this project and environment.

Check action name

Make sure the action string matches the permission rule you intended to test.

Check environment

Confirm the request is using the right development, staging, or production environment.

Open Logs with decision ID / trace ID

Use the decision ID or trace ID to find the matching log row when live logs exist.

Envelope Preview

Simplified static response envelope. No raw secret is exposed.

{
  "ok": true,
  "data": {
    "status": "allowed",
    "allowed": true,
    "reason": "Owner role can read the selected resource.",
    "decisionId": "decision_identity_allowed",
    "traceId": "trace_identity_allowed",
    "auditEventId": "audit_identity_allowed",
    "safeErrorCode": null
  }
}

Shared Test Console pattern

Reusable product action tester

View shared Test Console pattern for product actions, key scopes, Commerce entitlements, request/response previews, trace IDs, logs, and health handoff.

Open Shared Test Console View shared Logs / Trace Preview pattern View shared Health Preview pattern View shared Console Settings pattern

Logs

Status	Action	Decision ID	Trace ID	Safe error code
allowed	document.read	decision_identity_allowed	trace_identity_allowed	none
blocked	document.delete	decision_identity_blocked	trace_identity_blocked	permission_denied
review_required	payment.enable_live	decision_identity_review	trace_identity_review	review_required

Logs show safe decision metadata only. Secret values are not displayed.

Health

healthy

Integration health

Identity Web App has setup values and recent successful checks.

warning

Key warning

Service Role Key is backend-only and should not appear in browser code.

warning

Missing setup warning

Custom API Backend still needs a production credential before launch.

warning

Rate-limit and abuse preview

Hosted traffic must keep tenant-aware and integration-aware guardrails enabled.