Authentication

Keys are workspace-scoped. Browser ingest and the REST API use different headers—don’t mix them.

Browser ingest

The SDK sends Authorization: Bearer <apiKey>. Publishable keys (galya_pub_…) also require X-Galya-Workspace-Id so the worker knows which workspace owns the traffic.

You pass userId yourself—that’s your app’s visitor id (logged-in user, device id, etc.). The worker sets clientId after validating the key.

new GalyaSDK({
  apiKey: "galya_…",
  userId: "user_123",
  workspaceId: "ws_…", // only for galya_pub_… / account keys
});

REST API

@galya/agents uses X-API-Key. Account secrets (galya_sk_…) need workspaceId → X-Galya-Workspace-Id.

Publishable keys are ingest-only and are rejected by the Galya API.

new GalyaApiClient({
  apiKey: process.env.GALYA_SECRET_KEY!,
  workspaceId: "ws_…",
});

@galya/admin uses the same account secret (galya_sk_…) from dashboard Settings, but does not send X-Galya-Workspace-Id. Only account secret keys may call POST / GET /v1/admin/workspaces.

Workspace keys (galya_…) and publishable keys (galya_pub_…) cannot create workspaces via the admin API.

import { GalyaAdminClient } from "@galya/admin";

new GalyaAdminClient({
  apiKey: process.env.GALYA_ACCOUNT_SECRET_KEY!, // galya_sk_… only
});

See Admin for the full provisioning and indexing flow.

Authentication

Browser ingest

REST API

Admin API

On this page