> ## Documentation Index
> Fetch the complete documentation index at: https://docs.easycred.co.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Credentials

> At onboarding, EasyCred issues you two values. Store them immediately — they are shown only once.

## Your API Credentials

At onboarding, EasyCred issues you two values. **Both are shown exactly once and cannot be retrieved later** — store them immediately in your secret manager.

<Warning>
  Never commit, log, or share either value in plaintext. When debugging, log only the **8-character key prefix**.
</Warning>

## Credential Reference

<CardGroup cols={2}>
  <Card title="apiKey" color="#4f46e5" icon="key">
    **Format:** `ec_live_…` (production) or `ec_test_…` (sandbox)

    Sent in the `x-api-key` header on **every request**.
  </Card>

  <Card title="signingSecret" color="#0ea5e9" icon="shield-check">
    **Format:** 48-character hex string

    Used locally to compute the request HMAC-SHA256 signature. **Never sent over the wire.**
  </Card>
</CardGroup>

## Key Formats

| Key Type   | Prefix     | Environment                        |
| ---------- | ---------- | ---------------------------------- |
| Production | `ec_live_` | Live customers and real data       |
| Sandbox    | `ec_test_` | Testing and integration validation |

## Security Best Practices

<AccordionGroup>
  <Accordion title="Use a Secret Manager" icon="vault">
    Store both `apiKey` and `signingSecret` in a secrets management system (e.g. AWS Secrets Manager, HashiCorp Vault, or your cloud provider's equivalent). Never hardcode them in source files.
  </Accordion>

  <Accordion title="Restrict Key Permissions" icon="lock">
    Only grant access to your credentials to services and team members that strictly need them. Apply the principle of least privilege.
  </Accordion>

  <Accordion title="Safe Debugging" icon="bug">
    When logging request metadata for debugging, log only the first 8 characters of the `apiKey` (e.g. `ec_live_a1b2c3d4`). Never log the full key or the `signingSecret`.
  </Accordion>

  <Accordion title="Rotate on Compromise" icon="rotate-cw">
    If you suspect your credentials have been exposed, contact your EasyCred onboarding manager immediately to rotate your key.
  </Accordion>
</AccordionGroup>

## Usage in Requests

Your `apiKey` goes in the `x-api-key` header on every API call:

```http theme={null}
x-api-key: ec_live_a1b2c3d4_<rest-of-key>
```

Your `signingSecret` is used **only on your server** to compute the `x-signature` header. See [Authentication](/authentication) for the full signing process.

<Info>
  The `signingSecret` is never transmitted over the network — it stays entirely within your backend infrastructure.
</Info>
