# API Keys

API keys are Plane B credentials and must stay server-side.

## Create and rotate

Use the backoffice or the Plane B API:

- `GET /internal/api-keys`
- `POST /internal/api-keys`
- `PATCH /internal/api-keys/{id}`
- `DELETE /internal/api-keys/{id}`

## Handling rules

- Store keys in Vault or a dedicated secret manager.
- Never put keys in mobile apps.
- Never commit keys to Git.
- Scope keys by environment.
- Rotate keys when an operator leaves, a CI system changes, or logs suggest exposure.

## Playground use

The API reference supports `X-Plug-Wallet-Api-Key` in the Authorize dialog. Only use sandbox keys in a browser playground.
