update

Author: bryantanderson

fern/customization/jwt-authentication.mdx

@@ -12,19 +12,71 @@ Before you proceed, ensure you have the following:
 
 - An environment that supports JWT generation and API calls (e.g., a programming language or framework)
 - An account with a service that requires JWT authentication
-- Environment variables set up for the necessary credentials (e.g., organization ID and private key, both can be found in your Vapi portal)
+- Environment variables set up for the necessary credentials (e.g., organization ID and Vapi API key, both can be found in your Vapi dashboard)
 
 ## Generating a JWT Token
 
 The following steps outline how to generate a JWT token:
 
 1. **Define the Payload**: The payload contains the data you want to include in the token. In this case, it includes an `orgId`.
-2. **Get the Private Key**: The private key (provided by Vapi) is used to sign the token. Ensure it is securely stored, often in environment variables.
+2. **Get a Vapi API Key**: A Vapi API key is used to sign the token. Ensure it is securely stored, often in environment variables.
 3. **Set Token Options**: Define options for the token, such as the expiration time (`expiresIn`).
 4. **Generate the Token**: Use a JWT library or built-in functionality to generate the token with the payload, key, and options.
 
+### Creating a Vapi API Key
+
+You can find your API keys in the Vapi dashboard. Head to the `ORG SETTINGS` section on the sidebar and click on the `API Keys` tab.
+
+By default, Vapi creates a pair of private and public API keys for you. However, you may create new API keys at any time through the dashboard or API.
+
+<Frame>
+  <img src="../static/images/quickstart/dashboard/vapi-api-keys-tab.png" />
+</Frame>
+
+Creating new API keys is straightforward through the Vapi API.
+
+**Example (creating a private API key):**
+
+```bash
+curl -X POST 'https://api.vapi.ai/token' \
+-H 'Content-Type: application/json' \
+-H 'Authorization: Bearer <YOUR_API_KEY>' \
+-d '{
+  "name": "My Private Vapi API Key",
+  "tag": "private"
+}'
+```
+
+**Example (creating a public API key):**
+
+<Note>
+  The **restrictions** field is optional. All fields besides **enabled** are only relevant for **public**  tokens.
+</Note>
+
+```bash
+curl -X POST 'https://api.vapi.ai/token' \
+-H 'Content-Type: application/json' \
+-H 'Authorization: Bearer <YOUR_API_KEY>' \
+-d '{
+  "name": "My Public Vapi API Key",
+  "tag": "public",
+  "restrictions": {
+    "enabled": true,
+    "allowedOrigins": ["https://example.vapi.ai"],
+    "allowedAssistantIds": ["1cbf8c70-5fd7-4f61-a220-376ab35be1b0"],
+    "allowTransientAssistant": false,
+  }
+}'
+```
+
+### Vapi API Key Scope
+
+A Vapi API Key can have one of two scopes: Private or Public. The scope of the key will determine the actions that can be performed using the key. 
+
+For example, it can be used to restrict which API endpoints the key can access.
+
 <Note>
-  Without the private key, the JWT token's scope will be limited to web call creation.
+  As of writing, the only publicly scoped API endpoint is https://api.vapi.ai//call/web, which is used for Web Call creation. All other endpoints are privately scoped.
 </Note>
 
 ### Example
@@ -35,8 +87,8 @@ const payload = {
   orgId: process.env.ORG_ID,
 };
 
-// Get the private key from environment variables
-const key = process.env.PRIVATE_KEY;
+// Get the private (or public) Vapi API key from environment variables
+const key = process.env.VAPI_API_KEY;
 
 // Define token options
 const options = {
@@ -50,7 +102,7 @@ const token = generateJWT(payload, key, options);
 ### Explanation
 
 - **Payload**: The payload includes the `orgId`, representing the organization ID.
-- **Key**: The private key is used to sign the token, ensuring its authenticity.
+- **Key**: The Vapi API key is used to sign the token, ensuring its authenticity.
 - **Options**: The `expiresIn` option specifies that the token will expire in 1 hour.
 - **Token Generation**: The `generateJWT` function (a placeholder for the actual JWT generation method) creates the token using the provided payload, key, and options.
 
@@ -94,4 +146,4 @@ With the generated token, you can authenticate API requests to any endpoint requ
 
 ## Conclusion
 
-This documentation covered the basics of generating a JWT token and demonstrated how to use the token to make authenticated API requests. Ensure that your environment variables (e.g., `ORG_ID` and `PRIVATE_KEY`) are correctly set up before running the code.
+This documentation covered the basics of generating a JWT token and demonstrated how to use the token to make authenticated API requests. Ensure that your environment variables (e.g., `ORG_ID` and ``VAPI_API_KEY``) are correctly set up before running the code.