> ## Documentation Index
> Fetch the complete documentation index at: https://docs.katalo.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys

> Create, store, rotate, and revoke the organization-scoped credential used by every protected endpoint.

Every protected endpoint uses the same organization-scoped API key. The same bearer token authenticates create, read, regenerate, usage, and billing requests.

Keys belong to organizations, not end users. Keep them in server configuration or a secret manager, never in browser code, mobile apps, or anything shipped to clients.

```http theme={null}
Authorization: Bearer kat_live_<publicKeyId>.<secret>
```

<Card title="Open API settings" icon="key-round" href="https://app.katalo.ai/en/organization/api">
  Issue, rotate, and revoke organization API keys from the Katalo dashboard.
</Card>

## Create an API key

1. Open [API settings](https://app.katalo.ai/en/organization/api) in the Katalo dashboard.
2. Confirm you are in the organization that should own the integration.
3. Click **Issue API key** or **Re-issue key**.
4. Name the key after the integration or environment that will use it.
5. Copy the raw secret immediately. It is shown once.

<Warning>
  If you lose the raw secret, issue a new key. Do not expect to recover the old value.
</Warning>

## Store the key on the server

Use an environment variable or secret manager so the key stays out of source control and can vary by environment.

<CodeGroup>
  ```bash macOS/Linux theme={null}
  export KATALO_API_KEY="your-api-key-here"
  ```

  ```powershell Windows theme={null}
  $env:KATALO_API_KEY="your-api-key-here"
  ```

  ```bash .env theme={null}
  KATALO_API_KEY="your-api-key-here"
  ```
</CodeGroup>

Read it from application code:

<CodeGroup>
  ```python Python theme={null}
  import os

  api_key = os.environ["KATALO_API_KEY"]
  ```

  ```javascript JavaScript theme={null}
  const apiKey = process.env.KATALO_API_KEY;
  ```
</CodeGroup>

## Rotate or revoke keys

| Action | When to use it                                                                                 |
| ------ | ---------------------------------------------------------------------------------------------- |
| Rotate | Refresh credentials, separate environments, or move an integration to a different service.     |
| Revoke | Cut off access immediately if a secret was exposed or the integration is no longer in service. |
| Audit  | Review key names and last-used timestamps to keep access understandable.                       |

## Keep API keys off the client

The public API is designed for trusted server-to-server use. Browsers and mobile apps should call your backend, not Katalo directly.

| Rule                               | Why it matters                                                                     |
| ---------------------------------- | ---------------------------------------------------------------------------------- |
| No direct browser calls            | A bearer token in browser code is a credential leak.                               |
| No permissive CORS strategy        | Your backend should authenticate to Katalo and enforce client-level authorization. |
| One organization-scoped credential | Centralized key lifecycle is easier to rotate, review, and revoke.                 |
