Authentication
PageGun uses API keys to authenticate all requests. Include your key in the Authorization header as a Bearer token.
API Keys
API keys are scoped to your account and have access to all projects you own. Keys use the pgk_live_ prefix for production environments.
Creating an API Key
- Go to the PageGun Dashboard
- Navigate to Settings → API Keys
- Click Create API Key
- Copy the key immediately — it won't be shown again
Warning
API keys are shown only once at creation. Store them securely.
Making Authenticated Requests
Include your API key in the Authorization header:
Authorization: Bearer pgk_live_xxxxxcurl
curl https://api.pagegun.com/v1/projects \
-H "Authorization: Bearer pgk_live_xxxxx"TypeScript
const response = await fetch("https://api.pagegun.com/v1/projects", {
headers: {
Authorization: "Bearer pgk_live_xxxxx",
},
});
const { data } = await response.json();Python
import requests
response = requests.get(
"https://api.pagegun.com/v1/projects",
headers={"Authorization": "Bearer pgk_live_xxxxx"},
)
data = response.json()["data"]Key Permissions
API keys can perform most operations but have the following restrictions:
| Operation | Allowed |
|---|---|
| List / Get resources | ✅ |
| Create pages | ✅ |
| Update pages and projects | ✅ |
| Publish / Unpublish pages | ✅ |
| Manage Data Mode | ✅ |
| Delete projects | ❌ |
| Delete pages | ❌ |
Destructive operations (deleting projects or pages) must be performed through the Dashboard.
Security Best Practices
Danger
Never expose your API key in client-side code, public repositories, or browser requests.
Use environment variables — Store your key in an environment variable, not in source code:
# .env (add to .gitignore)
PAGEGUN_API_KEY=pgk_live_xxxxxconst apiKey = process.env.PAGEGUN_API_KEY;Server-side only — Always call the PageGun API from your backend. Never include API keys in frontend JavaScript, mobile apps, or any code that runs on the client.
Rotate regularly — If you suspect a key has been compromised, revoke it immediately in the Dashboard and create a new one.
Restrict access — Only share API keys with team members who need them. Use separate keys for different environments (staging vs. production).