# Authentication

Before you can use commands that access Finqu resources (like themes), you need to authenticate.

## Obtaining API Credentials

To use API credentials for authentication (instead of the OAuth flow), you need to generate them first:

- **Regular users**: Generate API credentials from the **Apps** page in the Finqu admin area
- **Partners**: Generate your own API keys from **Partner management**

Once you have your API key and secret, you can use them with the `finqu sign-in` command or set them as environment
variables.

## Sign in

Use `finqu sign-in` to authenticate and obtain an access token:

```bash
finqu sign-in
```

If you already have API credentials, you can provide them directly:

```bash
finqu sign-in --key YOUR_API_KEY --secret YOUR_API_SECRET
```

### What happens during sign-in

- If you don’t provide `--key` and `--secret`, the CLI uses an **OAuth 2.0** flow and will open a browser window so you
  can complete sign-in.
- The CLI stores the resulting credentials in your `.env` file.

## Environment variables

You can provide credentials via environment variables (as an alternative to using `--key` / `--secret`):

| Variable                  | Description                                                                   |
| ------------------------- | ----------------------------------------------------------------------------- |
| `FINQU_API_CLIENT_ID`     | API Client key to use for authentication (alternative to using `--key`)       |
| `FINQU_API_CLIENT_SECRET` | API Client secret to use for authentication (alternative to using `--secret`) |

## Tips

- If you start seeing auth errors, run `finqu sign-in` again to refresh your authentication.
- For details on where tokens are stored and how environments work, see [Configuration](./configuration).