> ## Documentation Index
> Fetch the complete documentation index at: https://developer.fabric.inc/llms.txt
> Use this file to discover all available pages before exploring further.

# API Client Settings

An **API Client** represents a set of credentials (**Client ID** and **Client Secret**) tied to your account/brand that applications and integrations use to authenticate with the Dropship V3 APIs.

You can use API Clients to:

* Generate credentials for **server-to-server** integrations.
* Isolate access for different apps/environments (for example, *ERP Prod*, *ERP Staging*).
* Rotate or revoke credentials without impacting other systems.

## Prerequisites

* Admin access to your Dropship account.
* Decision on **naming** (use a clear, environment-specific name).
* A secure place to store secrets (for example, a secret manager such as AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, or your CI/CD secret store).

## Create a New API Client

1. Navigate to **Settings → API Clients** in the Dropship console.

2. Click **Add API Client**.

3. Enter a clear **Client Name** (for example, `erp-prod`, `integration-staging`).

4. Click **Create Client**.

5. The client is created and now appears in your **API Clients** list.

<Tip> Create separate clients for each environment (Prod, Staging, Dev) and for each distinct integration. This minimizes risk and streamlines credential rotation. </Tip>

### Accessing client credentials (One-time Secret Reveal)

1. In **Settings** > **API Clients**, click the **Client Name** you just created.

   The **Client Credentials** page is displayed.

2. In **Client Credentials**, you’ll see:

   * **Client Name** (as entered)
   * **API URL** (base URL for requests)
   * **Brand ID**
   * **Client ID**
   * **Client Secret** (hidden by default)

3. **The Client Secret can only be accessed once.** When you are prepared to capture it, click **Get Client Secret** > **Show API Secret**.

4. **Copy** the secret using the provided button and store it in your secret manager immediately.

<Important> The **Client Secret** can only be viewed **once**. If it is lost, open a **Support** ticket to have it reset. </Important>

## Using the Credentials for Authentication

Most integrations will exchange the**Client ID** and **Client Secret** for an access token, then include that token in API calls. See the detailed flows and examples in the [Authentication Guide](https://developer.fabric.inc/v3/dropship/api-reference/authentication).

## Best Practices

* **Least privilege by isolation:** Create distinct clients per environment/app.
* **Rotate regularly:** Establish a key rotation cadence (for example, quarterly or on team changes).
* **Never embed secrets in code:** Use environment variables or a secret manager.
* **Restrict distribution:** Share **Client Secrets** only with systems (not people) that need them.
* **Monitor & alert:** Track usage and set alerts on unusual activity if available.

## Rotating or Revoking a Client

* **Rotate:** Create a new API Client, deploy the new **Client ID/Secret**, validate, then delete the old client.
* **Revoke immediately** if you suspect compromise. Replace the credentials across all dependent systems.

## Troubleshooting

* **I can’t see the Client Secret again:** This is expected. Open a **Support** ticket to reset.

* **Authentication failures (401/403):**

  * Verify you’re using the correct **API URL** for your environment.
  * Confirm the **Client ID/Secret** are accurate and not expired/rotated.
  * Ensure your token acquisition flow matches the [Authentication Guide](https://developer.fabric.inc/v3/dropship/api-reference/authentication).

* **Wrong brand or environment:** Double-check the **Brand ID** and the **API URL** shown on the client’s detail page.

## FAQ

<AccordionGroup>
  <Accordion title="Can multiple apps share one API Client?">
    While this is possible, fabric discourages this. We recommend creating separate clients to simplify rotations and auditing.
  </Accordion>

  <Accordion title="What if I accidentally reveal the secret in logs?">
    Treat it as compromised: rotate immediately and scrub logs.
  </Accordion>

  <Accordion title="Is there a sandbox?">
    If you maintain separate environments, create distinct clients per environment and use the environment-specific **API URL**.
  </Accordion>
</AccordionGroup>
