---
title: "Authentication"
description: "Send Authorization Bearer rgyd_live_... on every request. Mint keys at app.rigyd.com."
---

import { Aside, Tabs, TabItem } from '@astrojs/starlight/components';

The Rigyd API authenticates every request with a single header:

```http
Authorization: Bearer rgyd_live_<43-char-token>
```

That's it. No OAuth, no signing, no expiring access tokens to refresh.

## Get a key

Mint an API key in **[app.rigyd.com](https://app.rigyd.com)** under **Settings → API Keys**. Click **Create key**, give it a name (e.g. `production-backend`), and optionally set an `expires_at` date.

The plaintext token is shown **once** at creation time. Store it in a secret manager — Rigyd only keeps a SHA-256 hash, so we cannot recover it for you.

<Aside type="note">
  Keys are scoped to the user that created them. Calls made with the key consume that user's credits and inherit that user's plan limits. Up to 10 active keys per user.
</Aside>

## Token shapes

| Environment | Prefix         | Example                              |
| ----------- | -------------- | ------------------------------------ |
| Production  | `rgyd_live_`   | `rgyd_live_a1b2c3...` (43 chars)     |
| Other       | `rgyd_test_`   | `rgyd_test_a1b2c3...` (43 chars)     |

## Use the key

<Tabs syncKey="lang">
  <TabItem label="curl">
  ```bash
  curl https://api.rigyd.com/api/conversions \
    -H "Authorization: Bearer rgyd_live_..."
  ```
  </TabItem>
  <TabItem label="JavaScript">
  ```js
  await fetch('https://api.rigyd.com/api/conversions', {
    headers: { Authorization: `Bearer ${process.env.RIGYD_API_KEY}` },
  });
  ```
  </TabItem>
  <TabItem label="Python">
  ```python
  import os, requests

  requests.get(
      "https://api.rigyd.com/api/conversions",
      headers={"Authorization": f"Bearer {os.environ['RIGYD_API_KEY']}"},
  )
  ```
  </TabItem>
</Tabs>

## What happens if the key is bad

| Situation                       | Status | Body                                   |
| ------------------------------- | ------ | -------------------------------------- |
| Missing `Authorization` header  | `401`  | `{ "error": "Authentication required" }` |
| Unknown / revoked / expired key | `401`  | `{ "error": "Invalid API key" }`       |
| Key valid but no credits left   | `402`  | `{ "error": "Insufficient credits" }`  |

See [Errors](/reference/errors) for the full table.

## Rotation and revocation

Both happen in **[app.rigyd.com](https://app.rigyd.com) → Settings → API Keys**:

- **Rotate**: create a new key, ship it, then revoke the old one.
- **Revoke immediately** if a key leaks — every authenticated request after the revoke call returns `401`.

The Rigyd API does not currently expose key management programmatically by design — a leaked key cannot mint or revoke other keys.