Understanding Mixpanel: Project Token vs API Secret for PHP Integration

Anshul S. · 2025-09-12T10:51:53.927Z

What is the difference between the two mixpanel token - Project Token & API Secret. I want to send events to mixpanel from my PHP service in the backend, which one should I use?

Understanding Mixpanel: Project Token vs API Secret for PHP Integration | Mixpanel Community

3 comments

· Sorted by Oldest

kapa.ai
APP
·
·
Hi Anshul S., Please stand by as I search the Mixpanel knowledge base for an AI-powered answer. I normally take about 15 seconds or so. In case AI cannot answer your question, feel free to reach out to Mixpanel support at mixpanel.com/get-support. If you have follow-up questions for this thread, please tag me again with your question: @kapa.ai <follow-up question> 👋
Feel free to ask a follow-up question once I've answered by mentioning me with @kapa.ai
kapa.ai
APP
·
·
The Project Token and API Secret (also called Project Secret) serve different purposes in Mixpanel:
Project Token
- Purpose: Identifies which Mixpanel project your data should be sent to. - Usage: Required when sending events or user profile updates, especially from client-side SDKs or server-side SDKs like PHP. - Security: Not a secret; safe to use in client-side code. It does not provide authorization, only identification. - How to use in PHP: When initializing the Mixpanel PHP SDK, you provide the project token:
```LBKS This token will be included automatically in all data sent to Mixpanel from that instance [Docs: PHP SDK](https://docs.mixpanel.com/docs/tracking-methods/sdks/php#sending-events) | [Project Token Reference](https://github.com/mixpanel/docs/blob/main/reference/Mixpanel%20APIs/authentication/project-token.md).
API Secret (Project Secret)
- Purpose: Used for authenticating more powerful or sensitive API operations, such as exporting raw data or importing historical events. - Usage: Was previously required for some server-to-server API calls, but is now being deprecated in favor of Service Accounts. - Security: Highly sensitive—should never be exposed in client-side code or insecure locations. - Deprecation: Mixpanel recommends migrating to Service Accounts for any new integrations. API Secret is still supported for legacy use, but not recommended for new projects API Secret Deprecation.---
Which should you use for sending events from your PHP backend?
You should use the Project Token. The Mixpanel PHP SDK is designed to send events using the project token. This is the standard and secure way to send event data to Mixpanel from your backend service. The API Secret is not required for this use case and should be avoided for new implementations Docs: PHP SDK | Authentication Methods.Summary: - Use the Project Token to send events from your PHP backend. - Do not use the API Secret for this purpose; it is being deprecated and is only for advanced or legacy use cases.
kapa.ai is still learning and improving, please let me know how I did by reacting below.
ℹ️ Tip: Mention @kapa.ai in the thread for follow-ups or DM the app for 1-to-1 help.
Anshul S.
·
·
is project token already exposed to the world via client-side code? So I can safely commit it in my Backend project

kapa.ai
APP
·
·
Hi Anshul S., Please stand by as I search the Mixpanel knowledge base for an AI-powered answer. I normally take about 15 seconds or so. In case AI cannot answer your question, feel free to reach out to Mixpanel support at mixpanel.com/get-support. If you have follow-up questions for this thread, please tag me again with your question: @kapa.ai <follow-up question> 👋
Feel free to ask a follow-up question once I've answered by mentioning me with @kapa.ai
kapa.ai
APP
·
·
The Project Token and API Secret (also called Project Secret) serve different purposes in Mixpanel:
Project Token
- Purpose: Identifies which Mixpanel project your data should be sent to. - Usage: Required when sending events or user profile updates, especially from client-side SDKs or server-side SDKs like PHP. - Security: Not a secret; safe to use in client-side code. It does not provide authorization, only identification. - How to use in PHP: When initializing the Mixpanel PHP SDK, you provide the project token:
```LBKS This token will be included automatically in all data sent to Mixpanel from that instance [Docs: PHP SDK](https://docs.mixpanel.com/docs/tracking-methods/sdks/php#sending-events) | [Project Token Reference](https://github.com/mixpanel/docs/blob/main/reference/Mixpanel%20APIs/authentication/project-token.md).
API Secret (Project Secret)
- Purpose: Used for authenticating more powerful or sensitive API operations, such as exporting raw data or importing historical events. - Usage: Was previously required for some server-to-server API calls, but is now being deprecated in favor of Service Accounts. - Security: Highly sensitive—should never be exposed in client-side code or insecure locations. - Deprecation: Mixpanel recommends migrating to Service Accounts for any new integrations. API Secret is still supported for legacy use, but not recommended for new projects API Secret Deprecation.---
Which should you use for sending events from your PHP backend?
You should use the Project Token. The Mixpanel PHP SDK is designed to send events using the project token. This is the standard and secure way to send event data to Mixpanel from your backend service. The API Secret is not required for this use case and should be avoided for new implementations Docs: PHP SDK | Authentication Methods.Summary: - Use the Project Token to send events from your PHP backend. - Do not use the API Secret for this purpose; it is being deprecated and is only for advanced or legacy use cases.
kapa.ai is still learning and improving, please let me know how I did by reacting below.
ℹ️ Tip: Mention @kapa.ai in the thread for follow-ups or DM the app for 1-to-1 help.
Anshul S.
·
·
is project token already exposed to the world via client-side code? So I can safely commit it in my Backend project

3 comments

Project Token

API Secret (Project Secret)

Which should you use for sending events from your PHP backend?

Project Token

API Secret (Project Secret)

Which should you use for sending events from your PHP backend?