GKit

API Keys

Create and manage API keys for GKit products. Keys gate access to private endpoints and are issued per environment.

What API keys are for

By default, SheetsAPI endpoints are publicly readable. Anyone with the URL can fetch the data. If your sheet contains anything that should stay private — internal records, draft content, personally identifiable information — you protect it with an API key.

The moment you create your first key, all of your SheetsAPI endpoints require a valid Bearer token. There is no per-endpoint toggle — it is a single switch for your whole account.

Creating a key

  1. Sign in at gkit.mreshank.com with your Google account.
  2. In the sidebar, navigate to API Keys.
  3. Click New key and give it a label (e.g. production, staging, local).
  4. Copy the full key — it is only shown once. It starts with gkit_.

Keys are stored encrypted. GKit can verify a key without being able to read it back.

Using a key in requests

Pass the key as a Bearer token in the Authorization header:

curl "https://sheetsapi.gkit.mreshank.com/api/spreadsheets/YOUR_USER_KEY/YOUR_SHEET" \
  -H "Authorization: Bearer gkit_your_key_here"

In JavaScript:

const res = await fetch(
  "https://sheetsapi.gkit.mreshank.com/api/spreadsheets/YOUR_USER_KEY/YOUR_SHEET",
  {
    headers: { Authorization: "Bearer gkit_your_key_here" },
  }
);
const { data } = await res.json();

A request with a missing or invalid token returns 401 Unauthorized.

Key strategy by environment

Create one key per environment so you can revoke one without affecting the others:

LabelWhere it lives
local.env.local on your dev machine
stagingStaging environment variables
productionProduction environment variables

Never share keys across environments. If a key leaks from staging, you revoke only that one without disrupting production.

Keeping keys off the client

An API key in browser-side JavaScript is not a secret. Anyone who opens devtools can read it.

If you need to protect a Sheet while still serving data to a public frontend:

  • Call SheetsAPI from a server component, Route Handler, or edge function — not from useEffect.
  • The key stays on the server; the client receives only the response JSON.

Rotating a key

  1. Create a new key from the dashboard.
  2. Update your environment variables to use the new key.
  3. Confirm requests are flowing.
  4. Revoke the old key.

Creating a new key does not invalidate existing ones, so you can roll out the change without downtime.

Revoking a key

From the API Keys page, click the Revoke button next to the key you want to remove. Revocation is immediate — any request using that key will return 401 from that point on.

For more detail on how authentication works end-to-end, see the SheetsAPI authentication docs.