> ## Documentation Index
> Fetch the complete documentation index at: https://paytectechnologies.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys

> How application credentials are issued, and which header each one maps to.

Access is granted to a registered **application**, bound to one association. An
application has three credentials.

* **Client ID** (`clientId`), public identifier for the application.
* **Client secret**: secret used with the client ID to issue an access token.
* **Application secret** (`apiKey`), secret sent on every request as the
  `x-zeam-auth` header.

## How each credential is used

<ParamField path="clientId" type="string">
  Sent with the client secret to [`POST /v1/auth/token`](/authentication/tokens)
  to obtain a bearer token.
</ParamField>

<ParamField path="clientSecret" type="string">
  Sent with the client ID to issue a token. Never sent on other requests.
</ParamField>

<ParamField path="x-zeam-auth" type="string">
  The application secret, sent as a header on every protected request alongside
  the bearer token.
</ParamField>

In short: the client ID and client secret get you a **token**; the application
secret is the **`x-zeam-auth`** header you send with that token.

## How credentials are issued

Applications are registered by an association administrator in the Zeam business
portal, under **Settings → Application Registration**. Registration returns the
client ID, the client secret, and the application secret.

<Warning>
  The client secret and application secret are shown **once**, at registration.
  Store them securely the moment they are issued. They cannot be retrieved
  again.
</Warning>

If you are an integrator without portal access, ask your association
administrator to register an application and share the credentials with you
through a secure channel.

## Sandbox vs production keys

Sandbox and production credentials are separate and not interchangeable. Begin
with sandbox credentials, then receive production credentials when you are
promoted. See [Production promotion](/access/production-promotion).

## Handling credentials safely

* Use credentials only from server-side code.
* Store them in a secret manager, not in source control.
* Treat the application secret like a password; rotate it if it may be exposed.
