API key injection
Automatically populate API keys in the API Explorer for logged-in users.
Automatically populate API keys in the API Explorer for logged-in users.
This feature is available only for the Enterprise plan. To get started, reach out to support@buildwithfern.com.
API key injection is a feature of JWT and OAuth authentication. When a user logs in, a fern_token cookie is set in their browser with a fern.playground claim that tells the API Explorer what values to pre-fill — API keys, headers, or other credentials. You can combine it with RBAC in a single token.
User credentials are stored only in browser cookies and never transmitted to Fern’s servers. Learn more in the Security overview.
To enable API key injection, follow the JWT or OAuth setup guide.
With JWT setup, you have full control over the fern.playground payload. These options let you go beyond a single bearer token — pre-filling custom headers, supporting multiple API keys, or varying credentials by environment. These options are not available with OAuth, where Fern manages the token.
You can pre-fill headers, path parameters, and query parameters alongside auth credentials:
To provide multiple API keys (for example, one per application), set bearer_token to a JSON-encoded array of key-value objects. Each object maps an application name to its key.
The API Explorer displays a dropdown so the user can choose which application key to use for requests.
Use env_state to provide different credentials for each environment (for example, production vs. staging). Each key in env_state is matched against the selected environment URL using substring matching.
When the user selects an environment containing prod (such as https://api.prod.example.com), the API Explorer uses prod-token-abc123. The env_state values are merged on top of initial_state: auth is replaced entirely, while headers, path parameters, and query parameters are shallow-merged.