API Keys
AFCore authenticates every request with a clientId / clientSecret pair. Both come from the AIDE Developer Portal; AIDE owns how they're issued, rotated, and revoked. This page covers only the AFCore-side concern: feeding them into the SDK.
Issue, rotate, and revoke keys in AIDE — see AIDE's own documentation for the workflow.
Using the key in AFCore
AFCoreConfig.builder()
.baseUrl("https://qa.api.example.com") // env-specific URL from your Account Manager
.clientId("…from AIDE…")
.clientSecret("…from AIDE…")
.build()
AFCoreConfig.builder()
.baseUrl("https://qa.api.example.com")
.clientId("…from AIDE…")
.clientSecret("…from AIDE…")
.build()
Each key pair is scoped to a single environment (QA or Production). Keep them out of source control — use Keychain on iOS, EncryptedSharedPreferences on Android, or your build system's secret manager.
QA vs Production
Use a QA key for development and a Production key only for store builds. They live in separate AIDE environments and the data does not cross over.
| QA | Production | |
|---|---|---|
| Member roster | Test members | Real members |
| Visit / activity counts | Sandbox | Real |
| Base URL | qa.api.… | api.… |
When AIDE revokes or rotates a key
If a key is revoked or expires mid-session, AFCore's token refresh flow eventually surfaces SessionState.SESSION_EXPIRED. Subscribe to it and route the user back to sign-in:
AFCore.sessionState.collect { state ->
if (state == SessionState.SESSION_EXPIRED) showLogin("Session expired")
}
AFCore.shared.subscribeToSessionState(
onState: { state in
if state == .sessionExpired { self.showLogin("Session expired") }
},
onError: { _ in },
onComplete: { }
)
See Session Management for the full state machine.