# Core concepts

Enzo's configuration model has a small number of explicit resources.

## Realm

A realm is a logical configuration namespace. Realm names are unique within an
Enzo cluster.

## App

An app belongs to a realm. Apps can carry tags and provide the resource boundary
for customer API keys.

## Customer API key

A customer API key belongs to an app. Enzo returns plaintext key material only
when the key is created; stored API-key resources do not contain the plaintext
value.

The verification endpoint accepts a customer key and reports whether it is
valid, together with the identifiers needed by the caller.

## System key

A system key authenticates configuration API requests. Send it using the HTTP
`Authorization` header:

```text
Authorization: Bearer <system-key>
```

System keys and customer API keys serve different purposes. A system key manages
configuration; a customer key is verified by an application using Enzo.

