Skip to content

feat: add secretKey config, deprecate personalAPIKey#199

Open
turnipdabeets wants to merge 2 commits into
mainfrom
rename-personal-api-key-to-secret-key
Open

feat: add secretKey config, deprecate personalAPIKey#199
turnipdabeets wants to merge 2 commits into
mainfrom
rename-personal-api-key-to-secret-key

Conversation

@turnipdabeets

Copy link
Copy Markdown
Contributor

Problem

The credential used for local feature flag evaluation and remote config accepts either a Personal API Key (phx_...) or a Project Secret API Key (phs_...), but the config field is named personalAPIKey. That name is misleading — it implies only a personal API key is valid.

Change

Add a new canonical secretKey argument to PostHog::init() and Client::__construct(), and keep personalAPIKey as a deprecated, backwards-compatible alias. This is non-breaking:

  • The effective credential resolves as secretKey ?? personalAPIKey. When both are provided, secretKey wins.
  • The resolved value is stored on the new secretKey field and mirrored onto the existing personalAPIKey field so all internal reads (and any reflection-based access) keep working.
  • personalAPIKey is marked deprecated in phpdoc, pointing users to secretKey.
  • New secretKey param/field carries a tooltip-friendly doc comment (accepts a Personal API Key or Project Secret API Key, defaults to null, used for local flag evaluation and remote config).
  • Public API snapshot (api/public-api.json) updated for the new trailing optional param on both entry points.

Tests cover: secretKey sets the credential, personalAPIKey still works as an alias, and secretKey wins when both are set.

Context

From Slack + PostHog/posthog-js#4046, this is the rename item only, part of a coordinated rename across backend SDKs. Mirrors the change already merged as draft in posthog-python (PR #727).

Add a canonical `secretKey` argument to `PostHog::init()` and
`Client::__construct()` for local feature flag evaluation and remote
config. It accepts either a Personal API Key (phx_...) or a Project
Secret API Key (phs_...). `personalAPIKey` is kept as a deprecated,
backwards-compatible alias; when both are provided, `secretKey` wins.
The resolved value mirrors onto the existing `personalAPIKey` field so
all internal reads keep working. Non-breaking.
@greptile-apps

greptile-apps Bot commented Jul 2, 2026

Copy link
Copy Markdown

Reviews (1): Last reviewed commit: "feat: add secretKey config, deprecate pe..." | Re-trigger Greptile

Comment thread test/PostHogTest.php
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

posthog-php Compliance Report

Date: 2026-07-02 16:14:44 UTC
Duration: 95345ms

✅ All Tests Passed!

46/46 tests passed


Capture Tests

29/29 tests passed

View Details
Test Status Duration
Format Validation.Event Has Required Fields 13ms
Format Validation.Event Has Uuid 6ms
Format Validation.Event Has Lib Properties 7ms
Format Validation.Distinct Id Is String 6ms
Format Validation.Token Is Present 7ms
Format Validation.Custom Properties Preserved 6ms
Format Validation.Event Has Timestamp 6ms
Retry Behavior.Retries On 503 5317ms
Retry Behavior.Does Not Retry On 400 2009ms
Retry Behavior.Does Not Retry On 401 2009ms
Retry Behavior.Respects Retry After Header 8015ms
Retry Behavior.Implements Backoff 15730ms
Retry Behavior.Retries On 500 5115ms
Retry Behavior.Retries On 502 5115ms
Retry Behavior.Retries On 504 5115ms
Retry Behavior.Max Retries Respected 16530ms
Deduplication.Generates Unique Uuids 12ms
Deduplication.Preserves Uuid On Retry 5114ms
Deduplication.Preserves Uuid And Timestamp On Retry 10321ms
Deduplication.Preserves Uuid And Timestamp On Batch Retry 5117ms
Deduplication.No Duplicate Events In Batch 13ms
Deduplication.Different Events Have Different Uuids 7ms
Compression.Sends Gzip When Enabled 6ms
Batch Format.Uses Proper Batch Structure 6ms
Batch Format.Flush With No Events Sends Nothing 4ms
Batch Format.Multiple Events Batched Together 10ms
Error Handling.Does Not Retry On 403 2008ms
Error Handling.Does Not Retry On 413 2010ms
Error Handling.Retries On 408 5115ms

Feature_Flags Tests

17/17 tests passed

View Details
Test Status Duration
Request Payload.Request With Person Properties Device Id 6ms
Request Payload.Flags Request Uses V2 Query Param 5ms
Request Payload.Flags Request Hits Flags Path Not Decide 5ms
Request Payload.Flags Request Omits Authorization Header 5ms
Request Payload.Token In Flags Body Matches Init 6ms
Request Payload.Groups Round Trip 5ms
Request Payload.Groups Default To Empty Object 4ms
Request Payload.Disable Geoip False Propagates As Geoip Disable False 4ms
Request Payload.Disable Geoip Omitted Defaults To False 5ms
Request Payload.Flag Keys To Evaluate Contains Only Requested Key 5ms
Request Lifecycle.No Flags Request On Init Alone 2ms
Request Lifecycle.No Flags Request On Normal Capture 6ms
Request Lifecycle.Two Flag Calls Produce Two Remote Requests 7ms
Request Lifecycle.Mock Response Value Is Returned To Caller 5ms
Retry Behavior.Retries Flags On 502 107ms
Retry Behavior.Retries Flags On 504 107ms
Side Effect Events.Get Feature Flag Captures Feature Flag Called Event 8ms

@turnipdabeets turnipdabeets marked this pull request as ready for review July 2, 2026 17:19
@turnipdabeets turnipdabeets requested a review from a team as a code owner July 2, 2026 17:19
@turnipdabeets turnipdabeets requested a review from a team July 2, 2026 17:19
@greptile-apps

greptile-apps Bot commented Jul 2, 2026

Copy link
Copy Markdown

Reviews (2): Last reviewed commit: "test: collapse secret key credential tes..." | Re-trigger Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant