Skip to main content
View and manage your API keys in the Logo.dev dashboard.
Logo.dev provides two types of API keys. Publishable keys are automatically secured for safe client-side use, while secret keys require traditional server-side protection.

Key types

Publishable key (pk_)

Use anywhere — browsers, mobile apps, client-side code. Only works with img.logo.dev. These keys are automatically protected. We handle security for you. 
<img
  src="https://img.logo.dev/nike.com?token=LOGO_DEV_PUBLISHABLE_KEY"
  alt="Nike logo"
/>

Secret key (sk_)

Server-side only. Required for search, describe, and other API endpoints. Never expose this key. 
// Server-side only
const response = await fetch("https://api.logo.dev/search?q=nike", {
  headers: {
    Authorization: `Bearer LOGO_DEV_SECRET_KEY`,
  },
});

How we protect publishable keys

Your publishable keys are safe to use in public code because we automatically secure them for you. We block suspicious requests before they’re processed and never bill you for blocked traffic. Even if someone copies your publishable key, they can’t rack up charges on your account.

Automatic protections

When a request reaches our servers, we validate it against multiple signals:
  • Endpoint restriction — Publishable keys only work with the image CDN
  • Anomaly detection — We monitor for usage patterns that don’t match your normal traffic
  • Origin blocking — Suspicious referrers and excessive volumes are blocked before they impact your quota

Domain restrictions

For additional control, you can restrict your publishable key to specific domains. When enabled, only requests with a matching Referer header will be allowed.

How to enable

  1. Go to API Keys in your dashboard
  2. Toggle Allowed Domains Only
  3. Add your domains, one per line
  4. Click Save Changes

Domain format

  • example.com — matches only example.com
  • *.example.com — matches all subdomains (e.g., app.example.com, www.example.com)
Set up referrers before enabling. Once domain restrictions are enabled, requests without a Referer header (direct traffic) will be blocked. Make sure your application sends referrer data before turning this on.

Ensuring your app sends referrer data

Browsers send the Referer header automatically for most requests, but certain configurations can prevent this. Here’s how to ensure referrers are sent correctly.

Check your Referrer-Policy

The Referrer-Policy header controls what referrer information is sent with requests. These policies work with domain restrictions:
PolicyWorks?Notes
strict-origin-when-cross-originModern browser default. Sends origin cross-site.
originAlways sends origin (recommended for APIs).
origin-when-cross-originSends origin for cross-origin requests.
unsafe-urlSends full URL (not recommended).
no-referrerNever sends referrer. Will break restrictions.
same-originOnly sends for same-origin. Will break.

HTML meta tag

Add this to your <head> to ensure referrers are sent: 
<meta name="referrer" content="origin" />

Next.js configuration

Add referrer headers in next.config.js: 
module.exports = {
  async headers() {
    return [
      {
        source: "/:path*",
        headers: [
          {
            key: "Referrer-Policy",
            value: "strict-origin-when-cross-origin",
          },
        ],
      },
    ];
  },
};

Per-image referrer policy

You can also set the policy on individual images: 
<img
  src="https://img.logo.dev/stripe.com?token=LOGO_DEV_PUBLISHABLE_KEY"
  referrerpolicy="origin"
  alt="Stripe logo"
/>

Testing your setup

Before enabling domain restrictions:
  1. Open your browser’s developer tools (Network tab)
  2. Load a page with Logo.dev images
  3. Click on an img.logo.dev request
  4. Check that the Referer header is present and shows your domain
If no Referer header appears, check your Referrer-Policy settings.

What gets blocked

When domain restrictions are enabled:
  • ✅ Requests from allowed domains
  • ❌ Requests from unlisted domains
  • ❌ Requests with no Referer header (direct access, some privacy tools)
  • ❌ Requests from localhost (unless explicitly added)
Add localhost and *.localhost to your allowed domains during development.

Key rotation

Need to rotate your keys? Contact [email protected] and we’ll generate new keys for you.