| Environment | Use for |
|---|---|
test | Local dev, CI, staging, integration tests |
production | Customer-facing production systems |
404.
Credentials
The credential selects the environment. Not a header, not a base URL, not a CLI flag.| Prefix | Scope | Use for |
|---|---|---|
rt_test_ | Test environment | Dev, CI, staging |
rt_live_ | Production env | Production services |
acctk_ | User + grants | Agents and narrow automation |
Base URL
RETAB_API_BASE_URL selects the Retab deployment: hosted API, local dev
server, private region. It does not select test or production.
CLI Targeting
Local CLI profiles are just names for stored credentials:retab env switch changes only your local default profile. It never changes
server state and it never changes what a credential can access.
Credential resolution is strict:
| Priority | Source |
|---|---|
| 1 | --api-key flag |
| 2 | RETAB_API_KEY |
| 3 | --env <slug> profile |
| 4 | --live production profile |
| 5 | Default profile from env switch |
| 6 | Stored OAuth or access token |
retab auth status to see the resolved environment before a
dangerous command.
Production Safety
High-risk production writes, such as publishing, deleting, rotating secrets, or retrying jobs, require confirmation. In CI or any non-interactive shell, pass--confirm explicitly.
retab env switch production in CI. Pass the production key
in the command environment so the target is visible in the script.
What Is Isolated
| Resource | Isolated per environment |
|---|---|
| API keys | Yes |
| Workflows, blocks, edges, versions | Yes |
| Runs, steps, artifacts, jobs | Yes |
| Webhooks and signing secrets | Yes |
| Workflow secrets / integration creds | Yes |
| Usage records and analytics | Yes |
| Organization membership and billing | No |