Authentication & environment
Every event sent to ReplayStack must include a valid project API key. Keys belong in server-side environment variables only—never in the browser bundle or public repos.
Ingestion header
All SDK and direct HTTP calls target POST /api/v1/ingest/events and send:
Required header
x-replaystack-api-key: tr_live_xxxxxxxxxxxxxxxxxRotate keys if they leak. Do not log full keys; redact them in support tickets and CI output.
Variables your backend should set
REPLAYSTACK_API_KEY is required. REPLAYSTACK_ENDPOINT (API base URL) is optional—the SDK defaults to https://api.replaystack.co when omitted. Set it for staging, self-hosted, or non-default gateways. Other variables strongly improve debugging in the UI.
.env example
# .env (server only)
REPLAYSTACK_API_KEY=tr_live_xxxxxxxxxxxxxxxxx
# Optional — API origin only (no /api/v1/...); SDK posts to {origin}/api/v1/ingest/events.
# If unset, the SDK defaults to https://api.replaystack.co (ReplayStack Cloud).
# REPLAYSTACK_ENDPOINT=https://api.replaystack.co
REPLAYSTACK_SERVICE_NAME=order-service
APP_VERSION=1.0.0
COMMIT_HASH=a7f91c
NODE_ENV=production| Variable | Role |
|---|---|
| REPLAYSTACK_API_KEY | Project key from the dashboard |
| REPLAYSTACK_ENDPOINT | Optional API origin (SDK adds /api/v1/ingest/events). Defaults to https://api.replaystack.co. |
| REPLAYSTACK_SERVICE_NAME | Logical service name in traces |
| APP_VERSION / COMMIT_HASH | Tie events to a deploy |
| NODE_ENV | development, staging, production, … |
Key prefixes
tr_live_…Production traffic
tr_test_…Local and staging