feat: add secretKey config, deprecate personalAPIKey#199
Conversation
Add a canonical `secretKey` argument to `PostHog::init()` and `Client::__construct()` for local feature flag evaluation and remote config. It accepts either a Personal API Key (phx_...) or a Project Secret API Key (phs_...). `personalAPIKey` is kept as a deprecated, backwards-compatible alias; when both are provided, `secretKey` wins. The resolved value mirrors onto the existing `personalAPIKey` field so all internal reads keep working. Non-breaking.
|
Reviews (1): Last reviewed commit: "feat: add secretKey config, deprecate pe..." | Re-trigger Greptile |
posthog-php Compliance ReportDate: 2026-07-07 14:11:01 UTC ✅ All Tests Passed!46/46 tests passed Capture Tests✅ 29/29 tests passed View Details
Feature_Flags Tests✅ 17/17 tests passed View Details
|
|
Reviews (2): Last reviewed commit: "test: collapse secret key credential tes..." | Re-trigger Greptile |
|
Marked ready for review. Naming is settled — this is a generic Merge timing still coordinates with the project-secret-key rollout (feature-flagged today) — ready-for-review ≠ merge-now. |
dustinbyrne
left a comment
There was a problem hiding this comment.
example.php / .env.example still contain deprecated references
Problem
The credential used for local feature flag evaluation and remote config accepts either a Personal API Key (
phx_...) or a Project Secret API Key (phs_...), but the config field is namedpersonalAPIKey. That name is misleading — it implies only a personal API key is valid.Change
Add a new canonical
secretKeyargument toPostHog::init()andClient::__construct(), and keeppersonalAPIKeyas a deprecated, backwards-compatible alias. This is non-breaking:secretKey ?? personalAPIKey. When both are provided,secretKeywins.secretKeyfield and mirrored onto the existingpersonalAPIKeyfield so all internal reads (and any reflection-based access) keep working.personalAPIKeyis marked deprecated in phpdoc, pointing users tosecretKey.secretKeyparam/field carries a tooltip-friendly doc comment (accepts a Personal API Key or Project Secret API Key, defaults to null, used for local flag evaluation and remote config).api/public-api.json) updated for the new trailing optional param on both entry points.Tests cover:
secretKeysets the credential,personalAPIKeystill works as an alias, andsecretKeywins when both are set.Context
From Slack + PostHog/posthog-js#4046, this is the rename item only, part of a coordinated rename across backend SDKs. Mirrors the change already merged as draft in posthog-python (PR #727).