Skip to main content
4D has three credential types. Which one you use depends on where the call is made from:

Organization API keys

Every partner API call authenticates with a bearer header:
The key is bound to your organization. There is no org id parameter anywhere in the API - your key is the tenancy. Isolation is enforced with row-level security at the database layer, so a request can only ever read or write rows belonging to your organization.
Treat org_ keys like passwords: server-side only, never in client bundles, rotate if exposed.

Publishable tracking keys

Browser event tracking can’t hide a secret, so it doesn’t use one. POST /v1/track authenticates with a publishable ek_live_… key that ships in your client code, like an analytics measurement id. Abuse is bounded by two controls on the key itself, not by secrecy:
  • a per-key origin allowlist - events are only accepted from browser origins you configured for the key;
  • per-key rate limiting.
You issue and revoke tracking keys with your organization API key - see Trigger an event.

Module credentials

Installed modules push events server-to-server via POST /v1/ingest with an mk_live_… bearer credential plus an HMAC signature header (x-4d-signature) and an Idempotency-Key. This surface is only relevant if you’re building a 4D module; module documentation is provided during module onboarding.

Error envelope

All authenticated surfaces return errors in one envelope:
Missing or invalid credentials are a 401; a valid credential without permission for the operation is a 403 or, where the resource’s existence shouldn’t be revealed, a 404. code values are the stable contract to program against.