> ## Documentation Index
> Fetch the complete documentation index at: https://docs.budecosystem.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API Key Concepts

> Understand provider credentials, project keys, and cloud provider connections

## Core Concepts

API Keys in Bud are split into three management domains.

```mermaid theme={null}
graph TD
    A[Credential Domains] --> B[Provider Credentials]
    A --> C[Project Keys]
    A --> D[Cloud Provider Credentials]
    B --> E[Used by model providers]
    C --> F[Scoped to one project]
    C --> G[Expiry + max budget]
    D --> H[Infra provider authentication]
```

## 1) Provider Credentials

Provider credentials are reusable secrets attached to provider types. They are used by workflows that require access to external model providers.

**Operational traits**:

* Dynamic credential fields based on provider metadata
* Provider-level search and filter support
* Deployment usage visibility in detailed drawer

## 2) Project API Keys

Project keys are scoped to a single project and include governance fields.

**Governance traits**:

* Expiry windows (30 or 60 days)
* Max budget limits
* Last-used tracking for lifecycle decisions

## 3) Cloud Provider Connections

Cloud providers (shown in dev mode) store credential sets for infrastructure provider integration.

## Visibility and Secret Safety

Secrets are displayed using a secure interaction pattern:

1. Values are masked by default
2. User explicitly reveals value with visibility toggle
3. User can copy a value via copy action

## Lifecycle Model

```mermaid theme={null}
stateDiagram-v2
    [*] --> Created
    Created --> Active
    Active --> Rotated: update/recreate
    Active --> Revoked: delete
    Rotated --> Active
    Revoked --> [*]
```

## Data You Can Operate On

| Credential Type | Primary fields                        | Common list columns                                     |
| --------------- | ------------------------------------- | ------------------------------------------------------- |
| Provider        | Name, type, provider-specific secrets | Credential name, provider name, deployments, created on |
| Project key     | Name, project, expiry, max budget     | Credential name, project, expiry, last used, max budget |
| Cloud provider  | Provider, credential name, secret set | Provider, credential name, description, created on      |

## Recommended Operating Pattern

<Check>Use provider credentials for external provider integrations.</Check>
<Check>Issue project keys per team/workload, not shared org-wide.</Check>
<Check>Set expiry and budget during creation to enforce governance from day one.</Check>
<Check>Review last-used metadata before rotating or deleting keys.</Check>
