> ## Documentation Index
> Fetch the complete documentation index at: https://docs.retab.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys

> Create test and live API keys for each Retab environment

API keys are environment-scoped. Each key belongs to exactly one
environment, and the key's prefix tells you which one at a glance.

| Prefix      | Environment  | Dashboard section                 |
| ----------- | ------------ | --------------------------------- |
| `rt_test_`  | `test`       | **Test keys**                     |
| `rt_live_`  | `production` | **Live keys**                     |
| `sk_retab_` | `production` | **Live keys** (labelled *legacy*) |

The prefix is a visible hint. The authoritative environment is the one
stored on the server's API key document.

## Create a key from the dashboard

Go to **Developer settings** in the dashboard. The page is split into two
sections — **Test keys** and **Live keys** — to keep environment scope
explicit at the moment of creation.

* Click **Create test key** to mint a new `rt_test_...` key.
* Click **Create live key** to mint a new `rt_live_...` key.

The full key is shown exactly once. Copy it into your secrets store
immediately; Retab only retains a hashed copy after the dialog closes.

## Use a key

Each SDK reads `RETAB_API_KEY` from the environment by default. Pick the
right key per surface:

```bash theme={null}
# Local development
export RETAB_API_KEY=rt_test_...

# CI
RETAB_API_KEY=rt_test_... retab workflows evals runs create wf_...

# Production deploys
export RETAB_API_KEY=rt_live_...
```

```python Python theme={null}
from retab import Retab

client = Retab()                       # reads RETAB_API_KEY
print("Run `retab auth status` to inspect the resolved environment.")
```

```typescript Node theme={null}
import { Retab } from "@retab/node";

const client = new Retab({ apiKey: process.env.RETAB_API_KEY });
```

```go Go theme={null}
import retab "github.com/retab-dev/retab/clients/go"

client, _ := retab.NewClient("")       // empty string -> reads RETAB_API_KEY
_ = client
```

```bash curl theme={null}
curl https://api.retab.com/v1/workflows \
  -H "Authorization: Bearer $RETAB_API_KEY"
```

## Verify a key

Probe the API and see exactly which environment Retab resolved for the
current credential:

```bash theme={null}
retab auth status
```

```text theme={null}
authenticated: true
base_url: https://api.retab.com
active_credential: rt_test_...abcd
resolved_environment: test
```

The same information is available over HTTP from `GET /v1/auth/status`.

## Rules of thumb

* Use a **test** key for local development, CI, integration tests, and
  customer-facing staging apps. Test resources never bill, log, or
  trigger production-only side effects.
* Use a **live** key for production deploys, scheduled jobs, and any
  call that should actually move money, send a notification, or update
  customer-facing systems.
* Never bake a live key into a public repo, a client bundle, or a shell
  history file. Treat it like a database password.
* Rotate keys from the dashboard. Revoking a key invalidates it
  immediately; in-flight requests using the revoked key get `401`.
