> ## Documentation Index
> Fetch the complete documentation index at: https://developer.verilock.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Secure your API requests with API key authentication.

## API Key Authentication

All requests to the Verilock API must include your API key in the `Authorization` header as a Bearer token.

<Warning>
  **Keep your API keys secure.** Never expose keys in client-side code, public repositories, or browser requests. All API calls must originate from your backend server.
</Warning>

```bash Required Headers theme={null}
Authorization: Bearer qi_live_your_api_key_here
Content-Type: application/json
Accept: application/json
```

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET \
    "https://verilock.io/api/v1/sessions" \
    -H "Authorization: Bearer qi_live_your_api_key_here" \
    -H "Accept: application/json"
  ```

  ```php PHP theme={null}
  $client = new \GuzzleHttp\Client();
  $response = $client->get(
    'https://verilock.io/api/v1/sessions',
    ['headers' => [
      'Authorization' => 'Bearer qi_live_your_api_key_here',
      'Accept' => 'application/json',
    ]]
  );
  ```

  ```python Python theme={null}
  import requests

  response = requests.get(
      "https://verilock.io/api/v1/sessions",
      headers={
          "Authorization": "Bearer qi_live_your_api_key_here",
          "Accept": "application/json",
      }
  )
  ```

  ```javascript Node.js theme={null}
  const response = await fetch("https://verilock.io/api/v1/sessions", {
    headers: {
      "Authorization": "Bearer qi_live_your_api_key_here",
      "Accept": "application/json",
    },
  });
  const data = await response.json();
  ```
</CodeGroup>

## Key Prefixes

| Prefix     | Environment | Usage                                                    |
| ---------- | ----------- | -------------------------------------------------------- |
| `qi_live_` | Production  | Live API requests with real data                         |
| `qi_test_` | Sandbox     | Testing and development -- no charges, simulated results |

<Tip>
  Use `qi_test_` keys during development. They return simulated verification results and are free to use.
</Tip>

## Rate Limiting

API requests are rate limited per API key. Current limits are returned in response headers:

| Header                  | Description                                     |
| ----------------------- | ----------------------------------------------- |
| `X-RateLimit-Limit`     | Maximum requests per minute                     |
| `X-RateLimit-Remaining` | Remaining requests in current window            |
| `Retry-After`           | Seconds until rate limit resets (only on `429`) |

<Info>
  Default rate limit is **120 requests/minute** per API key. Contact us if you need higher limits for production workloads.
</Info>

## Authentication Errors

If authentication fails, the API returns a `401` status:

```json 401 Unauthorized theme={null}
{
  "error": "authentication_error",
  "message": "Invalid or missing API key.",
  "details": null
}
```

Common causes:

* Missing `Authorization` header or invalid Bearer token format
* Invalid or revoked API key
* Using a test key against production endpoints (or vice versa)
