> ## Documentation Index
> Fetch the complete documentation index at: https://cobalt-55-abhishek.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Developer app and API keys

> Register your developer app, find your API keys, and keep test and production environments separate.

Your developer app is the Refold workspace that backs every native integration you ship. It holds your API keys, your connector configuration, and the two environments (test and live) that every API call runs against. Use it as the single place to manage how your backend authenticates to Refold.

Every backend request to Refold authenticates with an API key sent in the `x-api-key` header. The key you use determines which environment the call hits, so getting keys and environments right is the first thing to set up before you wire up [linked accounts](/v3/platform/concepts/linked-account), [webhooks](/v3/native/configure/developer/webhooks), or [actions](/v3/native/configure/developer/api-proxies).

## How it works

Refold gives every developer app two isolated environments:

* **Test** is for building and QA. Linked accounts, connections, and workflow runs created here never touch production data.
* **Live** is what your customers use in production.

Each environment has its own API key and its own connector credentials. A call made with the test key only ever sees test linked accounts, and a call made with the live key only ever sees live ones. The environment is encoded in the key, so you switch environments by switching keys, not by changing the base URL.

<Note>
  All API calls use the base URL `https://app.refold.ai` and send your API key in the `x-api-key` header. Never expose your API key in the browser. For frontend authentication, mint a [session token](/v3/api-reference/session-tokens/generate-session-token) on your backend instead.
</Note>

## Get your API key

<Steps>
  <Step title="Open Settings > Credentials">
    In the [Refold Console](https://app.refold.ai), go to **Settings > Credentials**.
  </Step>

  <Step title="Copy the key for the environment you want">
    Each environment lists its own key. Copy the **test** key while you build and the **live** key when you go to production.
  </Step>

  <Step title="Store it as an environment variable">
    Keep the key out of source control. Read it from an environment variable in your backend.

    ```bash theme={null}
    export REFOLD_API_KEY="your-api-key-here"
    ```
  </Step>
</Steps>

<Frame />

## Test vs production credentials

Two things differ between environments, and you set both per environment in the Console.

| What               | Test                                                | Live                                     |
| ------------------ | --------------------------------------------------- | ---------------------------------------- |
| **API key**        | Test key from **Settings > Credentials**            | Live key from **Settings > Credentials** |
| **Connector auth** | Refold's shared test OAuth credentials, or your own | Your own OAuth client ID and secret      |
| **Data**           | Sandboxed, safe to create and delete freely         | Real customer connections and data       |

While building, you can connect an app with Refold's shared test credentials so you don't need your own OAuth client yet. Before going live, configure your own credentials for each connector under its [authentication settings](/v3/platform/concepts/connector/authentication).

<Warning>
  The shared test credentials are for development only. Production traffic must use your own OAuth client ID and secret, configured per connector. Shipping with shared credentials risks rate limits and exposes your customers to a client you don't control.
</Warning>

<Tip>
  Hold the test and live keys in separate secrets (for example, `REFOLD_API_KEY` in your staging config and another in production). Selecting the environment then becomes a deploy concern, not a code change.
</Tip>

## Manage and rotate keys

You manage keys from the same **Settings > Credentials** page where you find them. Rotate a key if it leaks or on your normal secret-rotation schedule, then update the secret in your backend.

<Warning>
  Rotating a key invalidates the old one. Any backend still using the previous key gets `401 Unauthorized` until you deploy the new key.
</Warning>

## Next steps

<CardGroup cols={2}>
  <Card title="Set up your server" icon="server" href="/v3/native/configure/developer/server-setup">
    Install the Refold server SDK and point it at your API key.
  </Card>

  <Card title="Create linked accounts" icon="user-plus" href="/v3/native/configure/developer/linked-accounts">
    Represent each customer and mint a session token for the frontend.
  </Card>

  <Card title="Connector authentication" icon="key" href="/v3/platform/concepts/connector/authentication">
    Configure your own OAuth credentials before going live.
  </Card>

  <Card title="Subscribe to webhooks" icon="bell" href="/v3/native/configure/developer/webhooks">
    Get notified when connections expire or workflows finish.
  </Card>
</CardGroup>
