Skip to content

feat: add secretKey config, deprecate personalAPIKey#199

Merged
turnipdabeets merged 3 commits into
mainfrom
rename-personal-api-key-to-secret-key
Jul 7, 2026
Merged

feat: add secretKey config, deprecate personalAPIKey#199
turnipdabeets merged 3 commits into
mainfrom
rename-personal-api-key-to-secret-key

Conversation

@turnipdabeets

Copy link
Copy Markdown
Contributor

Problem

The credential used for local feature flag evaluation and remote config accepts either a Personal API Key (phx_...) or a Project Secret API Key (phs_...), but the config field is named personalAPIKey. That name is misleading — it implies only a personal API key is valid.

Change

Add a new canonical secretKey argument to PostHog::init() and Client::__construct(), and keep personalAPIKey as a deprecated, backwards-compatible alias. This is non-breaking:

  • The effective credential resolves as secretKey ?? personalAPIKey. When both are provided, secretKey wins.
  • The resolved value is stored on the new secretKey field and mirrored onto the existing personalAPIKey field so all internal reads (and any reflection-based access) keep working.
  • personalAPIKey is marked deprecated in phpdoc, pointing users to secretKey.
  • New secretKey param/field carries a tooltip-friendly doc comment (accepts a Personal API Key or Project Secret API Key, defaults to null, used for local flag evaluation and remote config).
  • Public API snapshot (api/public-api.json) updated for the new trailing optional param on both entry points.

Tests cover: secretKey sets the credential, personalAPIKey still works as an alias, and secretKey wins when both are set.

Context

From Slack + PostHog/posthog-js#4046, this is the rename item only, part of a coordinated rename across backend SDKs. Mirrors the change already merged as draft in posthog-python (PR #727).

Add a canonical `secretKey` argument to `PostHog::init()` and
`Client::__construct()` for local feature flag evaluation and remote
config. It accepts either a Personal API Key (phx_...) or a Project
Secret API Key (phs_...). `personalAPIKey` is kept as a deprecated,
backwards-compatible alias; when both are provided, `secretKey` wins.
The resolved value mirrors onto the existing `personalAPIKey` field so
all internal reads keep working. Non-breaking.
@greptile-apps

greptile-apps Bot commented Jul 2, 2026

Copy link
Copy Markdown

Reviews (1): Last reviewed commit: "feat: add secretKey config, deprecate pe..." | Re-trigger Greptile

Comment thread test/PostHogTest.php
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

posthog-php Compliance Report

Date: 2026-07-07 14:11:01 UTC
Duration: 95236ms

✅ All Tests Passed!

46/46 tests passed


Capture Tests

29/29 tests passed

View Details
Test Status Duration
Format Validation.Event Has Required Fields 11ms
Format Validation.Event Has Uuid 5ms
Format Validation.Event Has Lib Properties 4ms
Format Validation.Distinct Id Is String 5ms
Format Validation.Token Is Present 5ms
Format Validation.Custom Properties Preserved 5ms
Format Validation.Event Has Timestamp 4ms
Retry Behavior.Retries On 503 5315ms
Retry Behavior.Does Not Retry On 400 2008ms
Retry Behavior.Does Not Retry On 401 2008ms
Retry Behavior.Respects Retry After Header 8013ms
Retry Behavior.Implements Backoff 15728ms
Retry Behavior.Retries On 500 5113ms
Retry Behavior.Retries On 502 5114ms
Retry Behavior.Retries On 504 5114ms
Retry Behavior.Max Retries Respected 16528ms
Deduplication.Generates Unique Uuids 10ms
Deduplication.Preserves Uuid On Retry 5113ms
Deduplication.Preserves Uuid And Timestamp On Retry 10321ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry 5115ms
Deduplication.No Duplicate Events In Batch 10ms
Deduplication.Different Events Have Different Uuids 6ms
Compression.Sends Gzip When Enabled 4ms
Batch Format.Uses Proper Batch Structure 4ms
Batch Format.Flush With No Events Sends Nothing 3ms
Batch Format.Multiple Events Batched Together 9ms
Error Handling.Does Not Retry On 403 2006ms
Error Handling.Does Not Retry On 413 2009ms
Error Handling.Retries On 408 5113ms

Feature_Flags Tests

17/17 tests passed

View Details
Test Status Duration
Request Payload.Request With Person Properties Device Id 5ms
Request Payload.Flags Request Uses V2 Query Param 5ms
Request Payload.Flags Request Hits Flags Path Not Decide 3ms
Request Payload.Flags Request Omits Authorization Header 4ms
Request Payload.Token In Flags Body Matches Init 4ms
Request Payload.Groups Round Trip 4ms
Request Payload.Groups Default To Empty Object 4ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False 4ms
Request Payload.Disable Geoip Omitted Defaults To False 4ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key 4ms
Request Lifecycle.No Flags Request On Init Alone 2ms
Request Lifecycle.No Flags Request On Normal Capture 5ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests 6ms
Request Lifecycle.Mock Response Value Is Returned To Caller 4ms
Retry Behavior.Retries Flags On 502 106ms
Retry Behavior.Retries Flags On 504 107ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event 7ms

@turnipdabeets turnipdabeets marked this pull request as ready for review July 2, 2026 17:19
@turnipdabeets turnipdabeets requested a review from a team as a code owner July 2, 2026 17:19
@turnipdabeets turnipdabeets requested a review from a team July 2, 2026 17:19
@greptile-apps

greptile-apps Bot commented Jul 2, 2026

Copy link
Copy Markdown

Reviews (2): Last reviewed commit: "test: collapse secret key credential tes..." | Re-trigger Greptile

@turnipdabeets turnipdabeets marked this pull request as draft July 6, 2026 13:50
@turnipdabeets

turnipdabeets commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Marked ready for review.

Naming is settled — this is a generic secret_key config that accepts either a Personal API Key or a Project Secret API Key (both coexist; same Authorization: Bearer header). personal_api_key stays as a deprecated config-name alias that forwards into it — not a deprecation of personal keys as a credential. It's a name-level change and is crash-safe with respect to using the key (adds no new error path).

Merge timing still coordinates with the project-secret-key rollout (feature-flagged today) — ready-for-review ≠ merge-now.

@turnipdabeets turnipdabeets marked this pull request as ready for review July 6, 2026 15:37

@dustinbyrne dustinbyrne left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

example.php / .env.example still contain deprecated references

@turnipdabeets turnipdabeets merged commit 6523018 into main Jul 7, 2026
21 checks passed
@turnipdabeets turnipdabeets deleted the rename-personal-api-key-to-secret-key branch July 7, 2026 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants