Skip to content

Frontend Security

Skunivo API keys are server-side credentials. Do not place them in browser bundles, mobile apps, static sites or client-visible configuration.

Do not call Skunivo directly from browser code with a server-side API key:

// Do not do this in browser code.
const client = new SkunivoClient({
baseUrl: 'https://api.skunivo.com',
apiKey: 'skv_live_...',
organizationId: '...'
})

Any secret shipped to a browser should be considered public.

Use your own backend as the boundary:

  1. The user signs in to your application.
  2. Your backend checks what the user is allowed to do.
  3. Your backend calls Skunivo with a server-side API key.
  4. Your backend returns a filtered response to the browser.

This keeps Skunivo credentials private and lets your product enforce its own user permissions.

import { SkunivoClient } from '@skunivo/sdk'
const client = new SkunivoClient({
baseUrl: process.env.SKUNIVO_BASE_URL!,
apiKey: process.env.SKUNIVO_API_KEY!,
organizationId: process.env.SKUNIVO_ORGANIZATION_ID!
})
export async function listBalancesForCurrentUser(userId: string) {
await authorizeUserForInventory(userId)
const balances = await client.balances.list()
return balances
}

Limited browser-facing tokens are not part of the current public API. Do not design production integrations around them until Skunivo documents an explicit token exchange or limited-token flow.