diff --git a/testTaskGate.ps1 b/testTaskGate.ps1
index 61e546d..47eeafe 100644
--- a/testTaskGate.ps1
+++ b/testTaskGate.ps1
@@ -131,6 +131,24 @@ function Respond-JSON {
     $Context.Response.OutputStream.Write($bytes,0,$bytes.Length)
     $Context.Response.OutputStream.Close()
 }
+#region Get-DattoApiCreds
+function Get-DattoApiCredentials {
+    param ([string]$Password)
+    $url = "https://automate.svstools.ca/webhook/svsmspkit"
+    $headers = @{ "SVSMSPKit" = $Password }
+    try {
+        $response = Invoke-RestMethod -Uri $url -Headers $headers -Method GET
+        return @{
+            ApiUrl       = $response.ApiUrl
+            ApiKey       = $response.ApiKey
+            ApiSecretKey = $response.ApiSecretKey
+        }
+    } catch {
+        Write-LogHybrid "Failed to fetch API credentials: $($_.Exception.Message)" "Error" "DattoAuth"
+        return $null
+    }
+}
+#endregion
 
 #region Install-DattoRMM-Helper
 function Install-DattoRMM-Helper {
@@ -189,30 +207,40 @@ function Install-DattoRMM-Helper {
 # POST /getpw → read JSON body, call helper, return JSON
 function Handle-FetchSites {
     param($Context)
-     Write-Host "[Debug] Handle-FetchSites invoked"   # ← add this
+    Write-Host "[Debug] Handle-FetchSites invoked"
+
     try {
         $body = (New-Object IO.StreamReader $Context.Request.InputStream).ReadToEnd() 
         $pw   = (ConvertFrom-Json $body).password
+
+        $creds = Get-DattoApiCredentials -Password $pw
+        if (-not $creds) {
+            Write-LogHybrid "Credential fetch failed." "Error"
+            $Context.Response.StatusCode = 403
+            Respond-JSON $Context @()
+            return
+        }
+
         $sites = Install-DattoRMM-Helper `
-                  -ApiUrl $ApiUrl `
-                  -ApiKey $ApiKey `
-                  -ApiSecretKey $ApiSecretKey `
-                  -FetchSitesOnly
-        if (-not $sites) { $Context.Response.StatusCode = 500; $sites = @() }
-        $json = $sites | ConvertTo-Json -Depth 2
-        $bytes = [Text.Encoding]::UTF8.GetBytes($json)
-        $Context.Response.ContentType = 'application/json'
-        $Context.Response.OutputStream.Write($bytes,0,$bytes.Length)
+                    -ApiUrl       $creds.ApiUrl `
+                    -ApiKey       $creds.ApiKey `
+                    -ApiSecretKey $creds.ApiSecretKey `
+                    -FetchSitesOnly
+
+        if (-not $sites) {
+            $Context.Response.StatusCode = 500
+            $sites = @()
+        }
+
+        Respond-JSON $Context $sites
     } catch {
         $Context.Response.StatusCode = 500
-        $Context.Response.ContentType = 'application/json'
-        $Context.Response.OutputStream.Write([Text.Encoding]::UTF8.GetBytes('[]'),0,2)
-    } finally {
-        $Context.Response.OutputStream.Close()
+        Respond-JSON $Context @()
     }
 }
 
 
+
 # On-boarding handlers
 function Set-SVSPowerPlan {
     param($Context)