> ## Documentation Index
> Fetch the complete documentation index at: https://docs.honeycomb.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate Honeycomb API requests with Ingest, Management, or Configuration keys. Find out which key type each endpoint requires.

All Honeycomb API requests require an API key.
The type of key you use depends on what you're doing.

## Honeycomb Resource Hierarchy

Honeycomb organizes resources hierarchically: Teams contain Environments, and Environments contain Datasets and other resources.

API keys operate at different levels of this hierarchy, which determines what they can access.

* **Environment-level keys** access a single Environment and its Datasets. These include Ingest and Configuration Keys.
* **Team-level keys** access all Environments and Team settings. These are Management Keys.

<Note>
  If you use Honeycomb Classic, your account doesn't have Environments.
  Classic API keys operate at the Team level and access all your Classic Datasets directly.
</Note>

## API Key Types

Honeycomb has three types of API keys, each designed for a specific purpose and scope.

| Key Type      | Scope       | Use                          | Authentication      |
| ------------- | ----------- | ---------------------------- | ------------------- |
| Ingest        | Environment | Send telemetry data          | Single value        |
| Configuration | Environment | Manage Environment resources | Single value        |
| Management    | Team        | Manage keys and Environments | Key ID + Key Secret |

<Warning>
  When you create an API key, the secret is returned only at creation time.
  Store it securely; Honeycomb cannot retrieve it again.
</Warning>

### Ingest Keys

Ingest Keys send event data to Honeycomb.
Pass an Ingest Key in the `X-Honeycomb-Team` header.
The key value is the key ID and key secret concatenated with no separator.

```http theme={}
X-Honeycomb-Team: hcxik_1234567890123456789012345612345678901234567890123456789012
```

Ingest Keys can optionally be granted permission to create new Datasets automatically.

### Configuration Keys

Configuration Keys read and manage resources within a specific Environment, such as Datasets, queries, Boards, Triggers, and SLOs.
Pass a Configuration Key in the `X-Honeycomb-Team` header, the same way as an Ingest Key.

```http theme={}
X-Honeycomb-Team: hcxlk_1234567890123456789012345612345678901234567890123456789012
```

Each Configuration Key has a set of permissions that control which actions it can perform.
You assign these permissions when you create or update the key.

### Management Keys

Management Keys handle Team-level operations, including managing Environments and API keys themselves.
Pass a Management Key as a Bearer token in the `Authorization` header, joining the key ID and secret with a colon.

```http theme={}
Authorization: Bearer hcxmk_12345678901234567890123456:12345678901234567890123456789012
```

## Key Prefixes

API key IDs include a prefix that identifies the key type:

* `hcxik_`: Ingest Key
* `hcxlk_`: Configuration Key
* `hcxmk_`: Management Key

## Validating a Key

Use the [Auth endpoint](/api/auth/list-authorizations) to confirm which key you are using, check its permissions, and identify the Team and Environment it belongs to.

<Note>
  If you use Honeycomb Classic, the `environment.name` and `environment.slug` fields in the Auth endpoint response will return empty strings.
  This is expected behavior.
</Note>

## Managing API Keys

To create, update, or revoke keys, go to **Team Settings > API Keys** in Honeycomb, or use the [Key Management API](/api/key-management).
For best practices, including rotation and least-privilege recommendations, see [API Key Best Practices](/get-started/best-practices/api-keys/).