Client (Admin Panel)
posthog-js inside the Payload admin panel — replay, surveys, toolbar.
payloadPosthog({
apiKey: process.env.POSTHOG_API_KEY!,
client: {
autocapture: true, // default
identifyAdminUser: true, // default
posthogOptions: {
// Any posthog-js init option is reachable here.
session_recording: { maskAllInputs: false },
},
},
})When enabled (the default), the plugin registers a root admin provider
component that loads posthog-js and calls posthog.init() on mount. That
unlocks autocapture, session replay, surveys, and the toolbar for anyone
using the admin panel — the exact same feature set as a normal web app
integration, just scoped to /admin.
Is it safe to expose the API key?
Yes. PostHog project API keys (phc_...) are write-only and public by
design — similar to a Stripe publishable key. They can send events but
can't read your PostHog data. personalApiKey, by contrast, is a genuine
secret and is never sent to the browser; it's only ever used server-side
(for local flag evaluation and the admin flags widget).