# Authentication

## Create a token

1. Sign in at [renai.build](https://renai.build).
2. Open **Settings → Personal access tokens**.
3. Click **Create token**, name it (e.g. "local dev", "production
   deploy"), and select the scopes it should have.
4. Copy the token. It is shown once. If you lose it, revoke it and
   create a new one.

Tokens are prefixed with `ren_pat_` so you can recognise them in logs
and environment files.

## Use a token with the SDK

Pass the token to `createRenClient` via the `pat()` auth strategy:

```ts
import { createRenClient, pat } from "@renai-labs/sdk"

const client = createRenClient({
  baseUrl: "https://api.renai.build",
  auth: pat(process.env.REN_PAT_TOKEN!),
})
```

## Raw HTTP

Send in `Authorization` header:

```bash
curl https://api.renai.build/api/pods \
  -H "Authorization: Bearer $REN_PAT_TOKEN"
```

## Scopes

Scopes follow `<resource>.<action>` (e.g. `agents.read`, `agents.write`). Grant the narrowest scopes needed.

## Rotating tokens

Revoke tokens from the same settings page. Revocation takes effect
immediately — in-flight requests with the revoked token will begin
returning `401 Unauthorized`.

:::caution
Never commit PATs to source control. Store them in your secret
manager (1Password, Doppler, AWS Secrets Manager, GitHub Actions
secrets) and inject them as environment variables at runtime.
:::

## Next steps

- **[Personal access tokens](/concepts/personal-access-tokens)** — the
  token resource in detail, including managing tokens via the API.
- **[Custom auth strategies](/sdk/custom-auth)** — advanced: plug your
  own header or signing logic into the SDK.