posthog-security-basics

# PostHog Security Basics ## Overview Secure PostHog API key management, least-privilege access, and secret rotation. PostHog has two key types with very different security profiles: the Project API Key (`phc_...`) is intentionally public and safe to include in frontend bundles, while the Personal API Key (`phx_...`) grants admin access and must never be exposed. ## Prerequisites - PostHog account with admin access - Understanding of environment variable management - `.gitignore` configured ## Instructions ### Step 1: Understand Key Security Profiles | Key Type | Prefix | Exposure Risk | Capabilities | |----------|--------|--------------|-------------| | Project API Key | `phc_` | **Low** (designed to be public) | Capture events, evaluate flags, identify users | | Personal API Key | `phx_` | **Critical** (full admin access) | CRUD flags, read persons, query insights, delete data | ```bash # .env (NEVER commit) NEXT_PUBLIC_POSTHOG_KEY=phc_abc123 # Safe for frontend (NEXT_PUBLIC_ prefix) POSTHOG_PERSONAL_API_KEY=phx_xyz789 # Server-only — NEVER in frontend code POSTHOG_PROJECT_ID=12345 # .gitignore .env .env.local .env.*.local ``` ### Step 2: Create Scoped Personal API Keys ```bash set -euo pipefail # Create a read-only key for BI dashboards curl -X POST "https://app.posthog.com/api/personal_api_keys/" \ -H "Authorization: Bearer $POSTHOG_PERSONAL_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "label": "bi-dashboard-readonly", "scopes": ["ins...