# Management keys

> Organization-scoped credentials (fhm_) for creating and managing taps programmatically — how to create one, what it unlocks, and when to use it.

A **management key** (prefixed `fhm_`) is a long-lived, organization-scoped credential for managing
**taps** via the API — create, list, update, and revoke. It deliberately **cannot** manage rules or
open the stream; those use the [tap token](/get-started/authentication).

## Creating a key

Admins create management keys from the [Management keys](https://firehose.com/management-keys) page.
The key is shown **once** at creation — copy and store it securely. An organization can hold up to
100 active keys, and any key can be revoked at any time.

## What it unlocks

With one management key you can provision and operate taps headlessly:

```bash
# Enumerate taps (and their full tokens)
curl -s https://api.firehose.com/v1/taps -H "Authorization: Bearer $FIREHOSE_MGMT_KEY"

# Provision a new tap
curl -s -X POST https://api.firehose.com/v1/taps \
  -H "Authorization: Bearer $FIREHOSE_MGMT_KEY" \
  -H "Content-Type: application/json" -d '{"name": "Brand mentions"}'
```

Because `GET /v1/taps` returns each tap's full token, a single management key is enough to bootstrap
and then stream from any tap in the organization.

<Callout type="warning">
  Treat management keys like passwords. A leaked key lets the holder create and revoke taps across
  the whole organization. Rotate by creating a new key and revoking the old one.
</Callout>

See the [API reference](/api-reference/management-key-endpoints) for the full endpoint list.

## Next steps

<CardGrid>
  <Card title="Management-key endpoints" href="/api-reference/management-key-endpoints">
    Every tap CRUD endpoint a management key unlocks.
  </Card>
  <Card title="Authentication" href="/get-started/authentication">
    How management keys differ from tap tokens.
  </Card>
</CardGrid>