x-api-key header. The key you use determines which environment the call hits, so getting keys and environments right is the first thing to set up before you wire up linked accounts, webhooks, or actions.
How it works
Refold gives every developer app two isolated environments:- Test is for building and QA. Linked accounts, connections, and workflow runs created here never touch production data.
- Live is what your customers use in production.
All API calls use the base URL
https://app.refold.ai and send your API key in the x-api-key header. Never expose your API key in the browser. For frontend authentication, mint a session token on your backend instead.Get your API key
Open Settings > Credentials
In the Refold Console, go to Settings > Credentials.
Copy the key for the environment you want
Each environment lists its own key. Copy the test key while you build and the live key when you go to production.
Test vs production credentials
Two things differ between environments, and you set both per environment in the Console.| What | Test | Live |
|---|---|---|
| API key | Test key from Settings > Credentials | Live key from Settings > Credentials |
| Connector auth | Refold’s shared test OAuth credentials, or your own | Your own OAuth client ID and secret |
| Data | Sandboxed, safe to create and delete freely | Real customer connections and data |
Manage and rotate keys
You manage keys from the same Settings > Credentials page where you find them. Rotate a key if it leaks or on your normal secret-rotation schedule, then update the secret in your backend.Next steps
Set up your server
Install the Refold server SDK and point it at your API key.
Create linked accounts
Represent each customer and mint a session token for the frontend.
Connector authentication
Configure your own OAuth credentials before going live.
Subscribe to webhooks
Get notified when connections expire or workflows finish.