Skip to content
MorphMorph Docs
Dashboard

API Keys

How API keys work in Morph and how to manage them.

Morph uses API keys to authenticate requests between the Framer plugin and the backend. Each account has one API key.

How it works

When you sign up or sign in, the plugin receives your API key and stores it locally (in Framer's plugin storage, not in the browser). Every request the plugin makes to the Morph backend includes this key in the X-API-Key header.

The API key is not included in the runtime script served to your published site. The runtime uses your site key (a separate, public identifier) instead.

Viewing your key

You can see your API key in:

  • Dashboard → Settings
  • Plugin → the key is stored locally but not displayed for security

Rotating your key

If your key is compromised:

  1. Go to Dashboard → Settings
  2. Click Rotate API Key
  3. A new key is generated immediately
  4. Sign out and back in to the Framer plugin — it will pick up the new key

The old key stops working immediately after rotation.

Security notes

  • The API key grants full access to your account's sites and rules — treat it like a password
  • Never share your API key in public repositories, screenshots, or support requests
  • The key is transmitted over HTTPS and validated server-side with hashed comparison

Settings

Account settings — API key, email, and account management.

Cookies

What cookies Morph sets on your published site and what they're used for.

On this page

How it worksViewing your keyRotating your keySecurity notes