# Authentication

> How management keys (fhm_) and tap tokens (fh_) differ, what each one authorizes, the API base URL, and how to pass them as a bearer token on requests.

Firehose has two kinds of API key. Both use bearer-token authentication:

```text
Authorization: Bearer fhm_your_management_key
Authorization: Bearer fh_your_tap_token
```

## Management key (`fhm_`)

Created by an organization admin from the dashboard. Use it to **manage taps** — create, list,
update, and revoke them. A management key **cannot** manage rules or open the stream. It's shown
once at creation, so store it securely.

```bash
# List every tap (and its full token) in the organization
curl -s https://api.firehose.com/v1/taps \
  -H "Authorization: Bearer $FIREHOSE_MGMT_KEY"
```

<Callout type="info">
  `GET /v1/taps` returns each tap's full token, so a single management key is enough to enumerate
  taps and start streaming from any of them.
</Callout>

## Tap token (`fh_`)

Scoped to one tap. Use it to **manage that tap's rules** and to **open the stream**. Retrievable
any time from the dashboard or via `GET /v1/taps` with a management key.

```bash
# List the rules on a tap
curl -s https://api.firehose.com/v1/rules \
  -H "Authorization: Bearer $FIREHOSE_TAP_TOKEN"
```

## Base URL

```text
https://api.firehose.com
```

## Errors

| Status | Meaning |
| --- | --- |
| 401 | Missing or invalid token |
| 403 | Resource not owned by your organization |
| 404 | Not found |
| 422 | Validation error |
| 429 | Rate limit exceeded |

## Next steps

<CardGrid>
  <Card title="Quickstart" href="/get-started/quickstart">
    Use your keys end to end — mint a tap, add a rule, open the stream.
  </Card>
  <Card title="Management keys" href="/organizations/management-keys">
    Create, rotate, and revoke the `fhm_` keys that manage taps.
  </Card>
</CardGrid>