Frontend Security
Skunivo API keys are server-side credentials. Do not place them in browser bundles, mobile apps, static sites or client-visible configuration.
Unsafe Pattern
Section titled “Unsafe Pattern”Do not call Skunivo directly from browser code with a server-side API key:
// Do not do this in browser code.const client = new SkunivoClient({ baseUrl: 'https://api.skunivo.com', apiKey: 'skv_live_...', organizationId: '...'})Any secret shipped to a browser should be considered public.
Recommended Backend Pattern
Section titled “Recommended Backend Pattern”Use your own backend as the boundary:
- The user signs in to your application.
- Your backend checks what the user is allowed to do.
- Your backend calls Skunivo with a server-side API key.
- Your backend returns a filtered response to the browser.
This keeps Skunivo credentials private and lets your product enforce its own user permissions.
Example Backend Handler
Section titled “Example Backend Handler”import { SkunivoClient } from '@skunivo/sdk'
const client = new SkunivoClient({ baseUrl: process.env.SKUNIVO_BASE_URL!, apiKey: process.env.SKUNIVO_API_KEY!, organizationId: process.env.SKUNIVO_ORGANIZATION_ID!})
export async function listBalancesForCurrentUser(userId: string) { await authorizeUserForInventory(userId)
const balances = await client.balances.list()
return balances}Future Limited Tokens
Section titled “Future Limited Tokens”Limited browser-facing tokens are not part of the current public API. Do not design production integrations around them until Skunivo documents an explicit token exchange or limited-token flow.