> ## Documentation Index
> Fetch the complete documentation index at: https://docs.repdata.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Environments & Authentication

> Base URLs and how Research Defender publishable and private keys are used.

## Environments

| Environment | Base URL                     |
| ----------- | ---------------------------- |
| Production  | `https://prod.rtymgt.com`    |
| Staging     | `https://staging.rtymgt.com` |

All examples in this documentation use the production base URL. Swap in the staging URL for integration testing.

## API Keys

Research Defender issues two keys. Which one you use depends on whether the call is made from the browser (client-side) or your server (server-side).

| Key                 | Where it's used                                       | Used by                                                                                                                                                                                                                                                                                                                                       |
| ------------------- | ----------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Publishable key** | Appended to the URL path of client-side calls         | [SEARCH](https://docs.repdata.com/research-defender/endpoints/get-api-v4-respondents-search-publishable_key), [REVIEW](https://docs.repdata.com/research-defender/endpoints/get-api-v4-respondents-review-publishable_key), [GETTOKEN](https://docs.repdata.com/research-defender/endpoints/get-api-v3-respondents-get_token-publishable_key) |
| **Private key**     | Used server-side and to sign Hashed Validation values | [Destination Platforms](https://docs.repdata.com/research-defender/endpoints/get-api-v3-respondents-destination_platforms-private_key) lookup, V4 Hashed Validation                                                                                                                                                                           |

The key is passed as the final path segment of the request, for example:

```text theme={null}
https://prod.rtymgt.com/api/v4/respondents/search/<publishable_key>?sn_ud=170716409&sy_nr=20210575&rt_cy_ce=us
```

<Warning>
  Keep your private key secret. It is used to decode server-to-server tokens and to sign Hashed Validation values — never expose it in client-side code.
</Warning>

## Client-Side Access to Cookies (SEARCH)

For Research Defender to access a respondent's cookies on the browser side, the request must allow credentials. With a JavaScript-based implementation, set the `withCredentials` attribute to `true`:

```js theme={null}
var xhr = new XMLHttpRequest();
xhr.open("POST", url, true);
xhr.withCredentials = true;
```

This lets Research Defender better track duplicate and fraudulent respondents.

## Protecting Against Suppression

To prevent respondents from manipulating links or suppressing the API response, use one of the two security options described in [Security Options](https://docs.repdata.com/research-defender/overview/02-security-options).
