diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8179b97..28fd73b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -49,6 +49,7 @@ If you were at `firehose-core` version `1.0.0` and are bumping to `1.1.0`, you s
 	and is expanded as is.
 
 * Added `Beacon` to known list of Block model.
+* Added api key authentication to `NewFirehoseFetchClient`
 
 ## v1.2.3
 
diff --git a/cmd/tools/firehose/firehose.go b/cmd/tools/firehose/firehose.go
index 088247c..6cfdb4b 100644
--- a/cmd/tools/firehose/firehose.go
+++ b/cmd/tools/firehose/firehose.go
@@ -68,7 +68,7 @@ func getFirehoseClientFromCmd[B firecore.Block, C any](cmd *cobra.Command, logge
 	if kind == "stream-client" {
 		rawClient, connClose, requestInfo.GRPCCallOpts, err = client.NewFirehoseClient(endpoint, jwt, apiKey, insecure, plaintext)
 	} else if kind == "fetch-client" {
-		rawClient, connClose, err = client.NewFirehoseFetchClient(endpoint, jwt, insecure, plaintext)
+		rawClient, connClose, requestInfo.GRPCCallOpts, err = client.NewFirehoseFetchClient(endpoint, jwt, apiKey, insecure, plaintext)
 	} else {
 		panic(fmt.Errorf("unsupported Firehose client kind: %s", kind))
 	}
diff --git a/firehose/client/client.go b/firehose/client/client.go
index 9875a33..64c4fd4 100644
--- a/firehose/client/client.go
+++ b/firehose/client/client.go
@@ -77,10 +77,10 @@ func (a *ApiKeyAuth) RequireTransportSecurity() bool {
 	return true
 }
 
-func NewFirehoseFetchClient(endpoint, jwt string, useInsecureTSLConnection, usePlainTextConnection bool) (cli pbfirehose.FetchClient, closeFunc func() error, err error) {
+func NewFirehoseFetchClient(endpoint, jwt, apiKey string, useInsecureTSLConnection, usePlainTextConnection bool) (cli pbfirehose.FetchClient, closeFunc func() error, callOpts []grpc.CallOption, err error) {
 
 	if useInsecureTSLConnection && usePlainTextConnection {
-		return nil, nil, fmt.Errorf("option --insecure and --plaintext are mutually exclusive, they cannot be both specified at the same time")
+		return nil, nil, nil, fmt.Errorf("option --insecure and --plaintext are mutually exclusive, they cannot be both specified at the same time")
 	}
 
 	var dialOptions []grpc.DialOption
@@ -92,14 +92,18 @@ func NewFirehoseFetchClient(endpoint, jwt string, useInsecureTSLConnection, useP
 		dialOptions = []grpc.DialOption{grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{InsecureSkipVerify: true}))}
 	}
 
-	if jwt != "" && !usePlainTextConnection {
-		credentials := oauth.NewOauthAccess(&oauth2.Token{AccessToken: jwt, TokenType: "Bearer"})
-		dialOptions = append(dialOptions, grpc.WithPerRPCCredentials(credentials))
+	if !usePlainTextConnection {
+		if jwt != "" {
+			credentials := oauth.NewOauthAccess(&oauth2.Token{AccessToken: jwt, TokenType: "Bearer"})
+			callOpts = append(callOpts, grpc.PerRPCCredentials(credentials))
+		} else if apiKey != "" {
+			callOpts = append(callOpts, grpc.PerRPCCredentials(&ApiKeyAuth{ApiKey: apiKey}))
+		}
 	}
 
 	conn, err := dgrpc.NewExternalClient(endpoint, dialOptions...)
 	if err != nil {
-		return nil, nil, fmt.Errorf("unable to create external gRPC client: %w", err)
+		return nil, nil, nil, fmt.Errorf("unable to create external gRPC client: %w", err)
 	}
 	closeFunc = conn.Close
 	cli = pbfirehose.NewFetchClient(conn)