Caputchin
Site keys

Overview

A site key is the credential that connects your widget to Caputchin. You create one inside a troop, and each key is a pair of values plus its own settings, statistics, and history.

One key or several?

Most sites need just one. Create a separate key when you want a surface measured or tuned on its own:

  • One per environment (staging and production) so test traffic does not muddy your real statistics.
  • One per form or product when you want independent stats, or different security settings, for each.

Keys in the same troop share one set of game customization by default (a key can override it on its own settings), so splitting is usually about isolating settings and statistics. When in doubt, start with one and split later.

Create a key

  1. Open your troop and go to Site keys.
  2. Click Create site-key, give it a name, and click Create. A name is all it asks for.

That returns the two values you will use everywhere else:

ValueLooks likeWhere it goes
Public keycpt_pub_...The widget's sitekey attribute, in your page. Safe in the browser.
Secretcpt_sec_...Your server, in the /siteverify call. Never ship it to the browser.

The secret is shown once, at creation, so copy it then. The public key is always visible afterward on the key's Integration page, which also shows ready-to-paste embed snippets.

Name

A key's name is a label for your own use, on the key's Settings page under Identification. It does not appear in the widget and does not affect verification, so rename it whenever you like.

Status: enable and disable

Each key has an Enabled toggle on its Settings page. A disabled key rejects every /siteverify call, so verification stops at once without deleting anything. Disable a key when you are rotating away from a leaked deployment, and enable it again when you are ready.

Rotate the secret

Rotate the secret from the Settings page whenever you think it may have leaked. Rotation is immediate: the new secret works at once and the old one stops verifying right away, with no overlap window. The public key is unchanged, so only your backend needs the new value. Deploy it promptly so in-flight verifications keep succeeding.

Delete a key

Deleting is permanent. On the Settings page, Delete site-key removes the key and its verification configuration, and verification stops immediately. You type the key's name (or its public key) to confirm, and it cannot be undone. If you only want to pause a key, disable it instead.

Settings with their own page

  • Security: CORS origins, required headers, proof-of-work difficulty, bot blocking, and the rate limit.
  • Statistics and sessions: the verification funnel and the per-session log.
  • Audit logs: a record of changes made to the key.

See also

Add a game from the marketplace

Previous

Security

Next

On this page

One key or several?Create a keyNameStatus: enable and disableRotate the secretDelete a keySettings with their own pageSee also