> ## Documentation Index
> Fetch the complete documentation index at: https://docs.honeycomb.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate Honeycomb API requests with API keys. Find out which key type each endpoint requires.

All Honeycomb API requests require an API key.
The type of key you use depends on what you're doing.

## Honeycomb Resource Hierarchy

Honeycomb organizes resources hierarchically: Teams contain Environments, and Environments contain Datasets and other resources.

API keys operate at different levels of this hierarchy, which determines what they can access.

* **Environment-level keys** access a single Environment and its Datasets. These include Ingest and Configuration Keys.
* **Team-level keys** access all Environments and Team settings. These are Management Keys.

<Note>
  If you use Honeycomb Classic, your account doesn't have Environments.
  Classic API keys operate at the Team level and access all your Classic Datasets directly.
</Note>

## API Key Format

On creation, every API key is assigned a Key ID, which is a label used to identify the Key in the Honeycomb UI.
Key IDs include a prefix that identifies the key type:

* `hc[x]ik_`: Ingest Key
* `hc[x]lk_`: Configuration Key
* `hc[x]mk_`: Management Key

<Note>
  The character shown as `[x]` varies and is assigned at key creation.
</Note>

For Ingest and Management Keys, you will also have a Secret, which is a separate credential that combines with the Key ID to form the value you pass in API requests.

Configuration Keys have a Token.
You can retrieve the Token from the Honeycomb UI at any time.

## API Key Types

Honeycomb has three types of API keys, each designed for a specific purpose and scope.

| Key Type      | Scope       | Use                          | Header                  | Via the UI                    | Via the API                          |
| ------------- | ----------- | ---------------------------- | ----------------------- | ----------------------------- | ------------------------------------ |
| Ingest        | Environment | Send telemetry data          | `X-Honeycomb-Team`      | **Ingest Key**                | `data.id` + `data.attributes.secret` |
| Configuration | Environment | Manage Environment resources | `X-Honeycomb-Team`      | **Token**                     | `data.attributes.secret`             |
| Management    | Team        | Manage keys and Environments | `Authorization: Bearer` | **Key ID** + `:` + **Secret** | N/A                                  |

<Note>
  When creating an Ingest Key through the UI, Honeycomb returns the complete key value.
  You only need to construct it from `data.id` and `data.attributes.secret` when using the [Create an API Key endpoint](/api/key-management/create-an-api-key).
</Note>

### Ingest Keys

Ingest Keys send data to Honeycomb.

Pass an Ingest Key in the `X-Honeycomb-Team` header.
The key value is the **Key ID** and **Secret** concatenated with no separator.

If you created your key through the UI, Honeycomb provides the complete value as the **Ingest Key**.
If you created it via the API, concatenate `data.id` and `data.attributes.secret` with no separator.

```http theme={}
X-Honeycomb-Team: hc[x]ik_1234567890123456789012345612345678901234567890123456789012
```

Ingest Keys can optionally be granted permission to create new Datasets automatically.

<Warning>
  If you created your Ingest Key through the UI, store the complete **Ingest Key** securely; Honeycomb displays the concatenated value only when you create the key.
  If you created your Ingest Key via the API, store `data.attributes.secret` securely; Honeycomb returns it only upon creation.
</Warning>

### Configuration Keys

Configuration Keys read and manage resources within a specific Environment, such as Datasets, queries, Boards, Triggers, and SLOs.

Pass the **Token** in the `X-Honeycomb-Team` header.
If you created your Configuration Key via the API, use `data.attributes.secret`; this is the same value as the **Token** in the UI.

```http theme={}
X-Honeycomb-Team: 1234567890123456789012
```

Each Configuration Key has a set of permissions that control which actions it can perform.
You assign these permissions when you create or update the key.

### Management Keys

Management Keys handle Team-level operations, including managing Environments and API keys.

Pass a Management Key as a Bearer token in the `Authorization` header.
Construct the key value by joining the **Key ID** and **Secret** with a colon (`:`).
Management Keys can only be created through the UI.

```http theme={}
Authorization: Bearer hc[x]mk_12345678901234567890123456:12345678901234567890123456789012
```

<Warning>
  Store the **Secret** securely when you create the key; Honeycomb returns it only upon creation.
</Warning>

## Validating a Key

Use the [Auth endpoint](/api/auth/list-authorizations) to confirm which key you are using, check its permissions, and identify the Team and Environment it belongs to.

<Note>
  If you use Honeycomb Classic, the `environment.name` and `environment.slug` fields in the [Auth endpoint](/api/auth) response will return empty strings.
  This is expected behavior.
</Note>

## Managing API Keys

To create, update, or revoke keys, navigate to **Account** > **Team Settings** > **API Keys** in Honeycomb, or use the [Key Management API](/api/key-management).
For best practices, including rotation and least-privilege recommendations, see [API Key Best Practices](/get-started/best-practices/api-keys/).