Skip to main content
Your developer app is the Refold workspace that backs every native integration you ship. It holds your API keys, your connector configuration, and the two environments (test and live) that every API call runs against. Use it as the single place to manage how your backend authenticates to Refold. Every backend request to Refold authenticates with an API key sent in the x-api-key header. The key you use determines which environment the call hits, so getting keys and environments right is the first thing to set up before you wire up linked accounts, webhooks, or actions.

How it works

Refold gives every developer app two isolated environments:
  • Test is for building and QA. Linked accounts, connections, and workflow runs created here never touch production data.
  • Live is what your customers use in production.
Each environment has its own API key and its own connector credentials. A call made with the test key only ever sees test linked accounts, and a call made with the live key only ever sees live ones. The environment is encoded in the key, so you switch environments by switching keys, not by changing the base URL.
All API calls use the base URL https://app.refold.ai and send your API key in the x-api-key header. Never expose your API key in the browser. For frontend authentication, mint a session token on your backend instead.

Get your API key

1

Open Settings > Credentials

In the Refold Console, go to Settings > Credentials.
2

Copy the key for the environment you want

Each environment lists its own key. Copy the test key while you build and the live key when you go to production.
3

Store it as an environment variable

Keep the key out of source control. Read it from an environment variable in your backend.
export REFOLD_API_KEY="your-api-key-here"

Test vs production credentials

Two things differ between environments, and you set both per environment in the Console.
WhatTestLive
API keyTest key from Settings > CredentialsLive key from Settings > Credentials
Connector authRefold’s shared test OAuth credentials, or your ownYour own OAuth client ID and secret
DataSandboxed, safe to create and delete freelyReal customer connections and data
While building, you can connect an app with Refold’s shared test credentials so you don’t need your own OAuth client yet. Before going live, configure your own credentials for each connector under its authentication settings.
The shared test credentials are for development only. Production traffic must use your own OAuth client ID and secret, configured per connector. Shipping with shared credentials risks rate limits and exposes your customers to a client you don’t control.
Hold the test and live keys in separate secrets (for example, REFOLD_API_KEY in your staging config and another in production). Selecting the environment then becomes a deploy concern, not a code change.

Manage and rotate keys

You manage keys from the same Settings > Credentials page where you find them. Rotate a key if it leaks or on your normal secret-rotation schedule, then update the secret in your backend.
Rotating a key invalidates the old one. Any backend still using the previous key gets 401 Unauthorized until you deploy the new key.

Next steps

Set up your server

Install the Refold server SDK and point it at your API key.

Create linked accounts

Represent each customer and mint a session token for the frontend.

Connector authentication

Configure your own OAuth credentials before going live.

Subscribe to webhooks

Get notified when connections expire or workflows finish.