# Buckets and Environments

API keys are stored in "buckets," which organize and isolate authentication
credentials across different environments. Learn more in the
[API Key API documentation](https://dev.zuplo.com/docs).

## Default bucket configuration

Zuplo automatically creates three buckets for each project:

- **Working copy**: Stores API keys for the working-copy environment
- **Production**: Stores API keys for the production environment (your default
  Git branch)
- **Shared**: Stores API keys shared across all other environments

For more information on how environments relate to Git branches, see
[Branch-Based Deployments](./branch-based-deployments.mdx).

## Custom bucket configuration

To use a custom bucket, specify the `bucketName` in your API Key policy options:

```json
{
  "export": "ApiKeyInboundPolicy",
  "module": "$import(@zuplo/runtime)",
  "options": {
    "bucketName": "contoso-qa-env",
    "allowUnauthenticatedRequests": false
  }
}
```

When no `bucketName` appears in the configuration, the policy uses the default
bucket for the current environment.

## Creating custom buckets

Create custom buckets using the
[API Key management API](https://dev.zuplo.com/docs). See the
[create buckets endpoint](https://dev.zuplo.com/docs/routes#apikeybucketsservice_create)
for details.

The following example creates a bucket for a QA environment:

```bash
curl --request POST \
  --url https://dev.zuplo.com/v1/accounts/YOUR_ACCOUNT_NAME/key-buckets \
  --header 'Authorization: Bearer YOUR_ZAPI_KEY' \
  --header 'Content-Type: application/json' \
  --data '{"name":"contoso-qa-bucket","description":"API Key bucket for QA Environment"}'
```

:::note

Replace `YOUR_ACCOUNT_NAME` with your account name and `YOUR_ZAPI_KEY` with your
Zuplo API key.

:::