> ## Documentation Index
> Fetch the complete documentation index at: https://docs.spiralstake.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys for the partner endpoints.

Partner endpoints require an API key, sent as a bearer token.

```http theme={null}
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxx
```

An `X-API-Key: <key>` header is also accepted.

<Warning>
  Keep your key **server-side**. Never ship it to a browser or mobile client — anyone with the key gets your rate tier and revenue attribution.
</Warning>

## Getting a key

Keys are issued out-of-band as part of onboarding. Contact us to start: [abhishek@spiralstake.xyz](mailto:abhishek@spiralstake.xyz).

Each key is tied to a partner profile with:

* a **rate tier** (requests/minute),
* **usage attribution** for revenue reconciliation.

Only the key's hash is stored — the raw key is shown once at issuance.

## Behavior

| Request                             | Result                                      |
| ----------------------------------- | ------------------------------------------- |
| Valid key on `/v1/partner/*`        | Authorized, attributed, on your rate tier   |
| No / invalid key on `/v1/partner/*` | `401 unauthorized`                          |
| Valid key on a public read          | Optional — puts that read on your rate tier |
| Invalid key on a public read        | Ignored (public routes are never gated)     |

<Note>
  Public read endpoints work with no key. Sending your key on them is optional — it just moves them onto your rate tier instead of the shared per-IP limit.
</Note>
