Skip to main content
View and manage your API keys in the Logo.dev dashboard.
Logo.dev provides two types of API keys. Publishable keys are automatically secured for safe client-side use, while secret keys require traditional server-side protection.

Key types

Publishable key (pk_)

Use anywhere: browsers, mobile apps, client-side code. Only works with img.logo.dev. These keys are protected automatically. You can expose one in client code without putting your account at risk. 
<img
  src="https://img.logo.dev/nike.com?token=LOGO_DEV_PUBLISHABLE_KEY"
  alt="Nike logo"
/>

Secret key (sk_)

Server-side only. Required for search, describe, and other API endpoints. Never expose this key. 
// Server-side only
const response = await fetch("https://api.logo.dev/search?q=nike", {
  headers: {
    Authorization: `Bearer LOGO_DEV_SECRET_KEY`,
  },
});

How we protect publishable keys

Even when your publishable key is copied, blocked traffic is never billed. We validate every request against several signals before it counts against your quota:
  • Endpoint restriction: publishable keys only work with the image CDN.
  • Anomaly detection: usage that doesn’t match your normal traffic gets flagged.
  • Origin blocking: suspicious referrers and excessive volumes are blocked before they count.

Domain restrictions

For additional control, you can restrict your publishable key to specific domains. When enabled, only requests with a matching Referer header will be allowed.

How to enable

  1. Go to API Keys in your dashboard
  2. Toggle Allowed Domains Only
  3. Add your domains, one per line
  4. Click Save Changes

Domain format

  • example.com: matches only example.com
  • *.example.com: matches all subdomains, like app.example.com and www.example.com
Set up referrers before enabling. Once domain restrictions are enabled, requests without a Referer header (direct traffic) will be blocked. Make sure your application sends referrer data before turning this on.

Ensuring your app sends referrer data

Browsers send the Referer header automatically for most requests, but some configurations strip it.

Check your Referrer-Policy

The Referrer-Policy header controls what referrer information is sent with requests. These policies work with domain restrictions:
PolicyWorks?Notes
strict-origin-when-cross-originModern browser default. Sends origin cross-site.
originAlways sends origin (recommended for APIs).
origin-when-cross-originSends origin for cross-origin requests.
unsafe-urlSends full URL (not recommended).
no-referrerNever sends referrer. Will break restrictions.
same-originOnly sends for same-origin. Will break.

HTML meta tag

Add this to your <head> to ensure referrers are sent: 
<meta name="referrer" content="origin" />

Next.js configuration

Add referrer headers in next.config.js: 
module.exports = {
  async headers() {
    return [
      {
        source: "/:path*",
        headers: [
          {
            key: "Referrer-Policy",
            value: "strict-origin-when-cross-origin",
          },
        ],
      },
    ];
  },
};

Per-image referrer policy

You can also set the policy on individual images: 
<img
  src="https://img.logo.dev/stripe.com?token=LOGO_DEV_PUBLISHABLE_KEY"
  referrerpolicy="origin"
  alt="Stripe logo"
/>

Testing your setup

Before enabling domain restrictions:
  1. Open your browser’s developer tools (Network tab)
  2. Load a page with Logo.dev images
  3. Click on an img.logo.dev request
  4. Check that the Referer header is present and shows your domain
If no Referer header appears, check your Referrer-Policy settings.

What gets blocked

When domain restrictions are enabled:
  • ✅ Requests from allowed domains
  • ❌ Requests from unlisted domains
  • ❌ Requests with no Referer header (direct access, some privacy tools)
  • ❌ Requests from localhost (unless explicitly added)
Add localhost and *.localhost to your allowed domains during development.

Key rotation

Need to rotate your keys? Contact support@logo.dev and we’ll generate new keys for you.