Board identifiers and publishable keys

Choose a stable, public-safe identifier for SDK requests.

The board option tells the API which job board a request belongs to. Use the board’s immutable pk_… publishable key in every deployed frontend.

Accepted identifiers

createBoardClient accepts three board identifiers:

IdentifierExampleRecommended use
Publishable keypk_0123456789abcdef0123456789abcdefDeployed and local frontends
Internal board IDboards_…Internal diagnostics when Cavuno gives you the ID
Board slugexample-careersShort-lived local investigation only

Slugs are operator-mutable. A rename can break a frontend that uses the old slug. The publishable key remains the deployment-safe identity.

Configure the client

Keep the API URL and key in the framework’s environment configuration:

ts
import { createBoardClient } from '@cavuno/board';
export const board = createBoardClient({
board: process.env.PUBLIC_CAVUNO_BOARD!,
});

The SDK uses https://api.cavuno.com by default. Only pass baseUrl when Cavuno supplies a different environment, and pass the origin only—the client adds the version and encoded board identifier.

Frameworks expose public values differently. Use NEXT_PUBLIC_CAVUNO_BOARD in browser-visible Next.js code or VITE_CAVUNO_BOARD in a Vite browser bundle, but pass the value to the same board option.

What the publishable key grants

A publishable key:

  • Selects one board.
  • Is intended to be present in public frontend code and requests.
  • Does not authenticate a candidate or employer.
  • Does not grant access to Cavuno’s operator/admin API.
  • Does not bypass board-password or feature entitlement checks.

A board-user access token is different. It represents a person and must be protected according to your session architecture. Never substitute it for board or put it in a public environment variable.

Verify the key before building routes

ts
const context = await board.context();
console.log({
id: context.id,
slug: context.slug,
name: context.name,
});

Compare the returned name and slug with the board you intended to connect. This catches a well-formed key copied from the wrong environment or board.

For an automated static and runtime check, export the canonical variables in the shell and run:

bash
npx @cavuno/board doctor

The CLI reads process.env; it does not automatically load your framework’s .env file. Doctor requires a pk_ key followed by 32 hexadecimal characters and then resolves the board context. A skipped frontend probe means that frontend behavior was not tested; add --frontend <url> once the application is running.

Common failures

boards_not_found

The identifier does not resolve. Re-copy the key and check that the application is using the intended environment file at runtime.

A browser request targets the wrong board after deployment

Public environment values can be fixed at build time by some frameworks. Confirm which deployment stage injects the value and rebuild when changing it.

A key appears in browser developer tools

That is expected for a publishable key. Investigate only if the value is a bearer token, refresh token, or operator credential.

Next, decide who owns authentication and sessions.