Building a frontend app against Centrali used to require either a full OAuth setup (service accounts with client_credentials) or proxying every API call through your own backend. For a React app that just needs to list blog posts or submit a contact form, that's overkill.
Publishable keys are a new credential type designed specifically for frontend apps.
How They Work
A publishable key is a workspace-scoped string (pk_live_...) that you can safely embed in browser code. Each key carries explicit scopes that define exactly which collections and actions it can access.
import { CentraliSDK } from '@centrali-io/centrali-sdk'
const centrali = new CentraliSDK({
workspaceId: 'my-workspace',
publishableKey: 'pk_live_a1b2c3d4e5f6g7h8',
})
// Works (scope: records:list:posts)
const posts = await centrali.records.list('posts')
// Works (scope: records:create:contact-submissions)
await centrali.records.create('contact-submissions', { name: 'Jane', message: 'Hi' })
// Fails: 403 "Missing scope: records:list:internal-users"
await centrali.records.list('internal-users')No OAuth flow. No token refresh. No backend proxy. The key goes in an environment variable (VITE_CENTRALI_PK or NEXT_PUBLIC_CENTRALI_PK), and the SDK sends it as an x-api-key header.
Scoped by Design
When you create a publishable key in the console, you select exactly which resources and actions it can access:
- Records: list, retrieve, create — per collection
- Collections: retrieve schema definitions
- Triggers: execute — per trigger
- Files: retrieve, upload
Wildcard (*) is available for read-only actions. Write actions always require an explicit per-collection target. This prevents accidental broad write access on a low-trust credential.
What Publishable Keys Can't Do
Publishable keys are intentionally limited. They cannot access:
- Users, groups, roles, or policies
- Service accounts or other keys
- Workspace settings or billing
These resources are excluded from the scope model entirely. Admin operations require a user session or service account.
Rate Limiting
Each key is rate-limited independently:
- Read operations: 200 requests/min
- Write operations: 30 requests/min
This protects your workspace from abuse without requiring any configuration.
When to Use What
| Credential | Trust Level | Use Case |
|---|---|---|
| Publishable key | Low | Frontend apps, public-facing pages |
| External token (BYOT) | Medium | Apps with user login (Clerk, Auth0) |
| Service account | High | Server-side scripts, CI/CD, backend services |
If your app doesn't need per-user permissions — just access to specific collections — publishable keys are the simplest path.
Available Now
Create a publishable key in Console > ACCESS > Publishable Keys. The create-centrali-app CLI templates are already configured to use them.