BrowserStack AI Evals
Settings & Configuration

API Keys

Create and manage API key pairs and write-only ingestion keys.

API Keys

Access via Settings → API Keys in your project.

BrowserStack AI Evals uses two types of project credentials:

Key TypePurposeAuth Method
Public + Secret key pairFull API access — read and writeHTTP Basic Auth (public:secret)
Write-only keyTrace ingestion only — no read accessBearer token

Public / Secret Key Pairs

A public/secret key pair grants full read and write access to all project resources through the REST API.

Creating a key pair:

  1. Go to Settings → API Keys
  2. Click Create new API key
  3. Copy the secret key immediately — it is shown only once
  4. Store both keys securely (e.g., in a secrets manager or CI/CD environment variables)

Usage in the SDK:

export AISDK_PUBLIC_KEY=pk-lf-...
export AISDK_SECRET_KEY=sk-lf-...

Usage in direct API calls (HTTP Basic Auth):

curl https://evals-api.browserstack.com/api/public/traces \
  -u "pk-lf-...:sk-lf-..."

Or with the Authorization header:

curl https://evals-api.browserstack.com/api/public/traces \
  -H "Authorization: Basic $(echo -n 'pk-lf-...:sk-lf-...' | base64)"

Key rotation:

  1. Create a new key pair
  2. Update your application / CI to use the new keys
  3. Delete the old key pair from the settings page

Once you delete a key pair, any application using those credentials will immediately lose access. Always rotate before deleting.

Write-Only Keys

Write-only keys grant ingestion-only access — they can send traces and scores but cannot read any data. Use these for:

  • SDK instrumentation in production (limits blast radius if a key leaks)
  • CI/CD pipelines that only send trace data
  • Third-party services that should have no read access

Creating a write-only key:

  1. Go to Settings → API Keys
  2. Scroll to the Write-Only Keys section
  3. Click Create write-only key
  4. Copy the key immediately

Usage:

# SDK — set the write-only key as the secret key
export AISDK_WRITE_ONLY_KEY=wk-lf-...
# Direct API calls — Bearer token authentication
curl https://evals-api.browserstack.com/api/public/ingestion \
  -H "Authorization: Bearer wk-lf-..."

Write-only keys are accepted on all ingestion endpoints (POST /api/public/ingestion, POST /api/public/traces, POST /api/public/scores).

Organization-Level API Keys

In addition to project-level keys, organization Owners can create organization-level API keys that work across all projects in the organization. These are managed from the organization settings (not the project settings).

Use organization keys for:

  • Multi-project dashboards and reporting tools
  • Organization-wide data pipelines
  • Administrative scripts that need cross-project access

Permission Requirements

ActionRequired Role
View API keysVIEWER and above
Create key pairOWNER or ADMIN
Delete key pairOWNER or ADMIN
Create write-only keyOWNER or ADMIN
Delete write-only keyOWNER or ADMIN

Project Settings

Configure general project properties, AI features, and project lifecycle.

LLM Connections

Connect LLM provider API keys to enable evaluations and the playground.

On this page

API KeysPublic / Secret Key PairsWrite-Only KeysOrganization-Level API KeysPermission Requirements