# API keys **API keys** authenticate requests to the **Evaluate API** (`/v1/evaluate`, `/v1/runs/.../resume`). They are separate from console login and CLI credentials. ## Creating a key 1. Console → **API keys** 2. Click **Create** 3. Name the key (e.g. `production-billing`, `staging-mobile`) 4. Copy the secret immediately — it is shown **once** Store the secret in your secrets manager or environment variables: ```bash FETCHCATCH_API_KEY=fc_live_... ``` ## Using a key ```bash curl -X POST "https://api.fetchcatch.com/v1/evaluate/my-flow" \ -H "Authorization: Bearer fc_live_..." \ -H "Content-Type: application/json" \ -d '{"userId": "123"}' ``` FetchCatch expects the raw key in the `Authorization: Bearer` header. ## Scope Keys are **tenant-scoped**. They can evaluate any **published** flow in any workspace belonging to the tenant unless future fine-grained scopes are added — treat keys as powerful secrets. ## Rotation 1. Create a new key 2. Deploy the new secret to your services 3. Revoke or delete the old key in the console No downtime if you overlap keys during migration. ## CLI vs API keys | Credential | Used for | |------------|----------| | Console login / `fcc login` | Designer, sync (`fcc pull/apply`) | | API key | `/v1/evaluate` from your apps | Do not use API keys with the CLI sync commands. ## Sync metadata (pull-only) `fcc pull` writes `api-keys/{slug}.json` files containing **metadata** (id, name, timestamps) — not the secret value. These files are **pull-only**: create or revoke keys in the console, then run `fcc pull`. Do not add local `api-keys/*.json` files and expect `fcc apply` to create keys on the server. → [Sync & CI](sync-and-ci.md) ## CI secrets For GitHub Actions syncing flows, use a **CLI token** from **Settings → CLI tokens**: - `FETCHCATCH_TOKEN` — recommended (long-lived, workspace-scoped) Or console credentials (legacy): - `FETCHCATCH_CONSOLE_EMAIL` + `FETCHCATCH_CONSOLE_PASSWORD` Not API keys. → [Sync & CI](sync-and-ci.md) ## Security checklist - Never commit keys to git - Use different keys per environment (staging vs production) - Rotate on engineer offboarding if keys were accessible - Monitor runs for unexpected evaluate volume ## Related - [Evaluate API](evaluate-api.md) - [Getting started](getting-started.md)