payload-posthog

Client (Admin Panel)

posthog-js inside the Payload admin panel — replay, surveys, toolbar.

payloadPosthog({
  apiKey: process.env.POSTHOG_API_KEY!,
  client: {
    autocapture: true, // default
    identifyAdminUser: true, // default
    posthogOptions: {
      // Any posthog-js init option is reachable here.
      session_recording: { maskAllInputs: false },
    },
  },
})

When enabled (the default), the plugin registers a root admin provider component that loads posthog-js and calls posthog.init() on mount. That unlocks autocapture, session replay, surveys, and the toolbar for anyone using the admin panel — the exact same feature set as a normal web app integration, just scoped to /admin.

Is it safe to expose the API key?

Yes. PostHog project API keys (phc_...) are write-only and public by design — similar to a Stripe publishable key. They can send events but can't read your PostHog data. personalApiKey, by contrast, is a genuine secret and is never sent to the browser; it's only ever used server-side (for local flag evaluation and the admin flags widget).

On this page