> ## Documentation Index
> Fetch the complete documentation index at: https://docs.barker.money/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API key authentication and key management.

## API key format

```
bk_<env>_<random>
   ^^^^   ^^^^^^^
   |      32 base62 chars (high entropy)
   test | live
```

* `bk_test_` — sandbox key, read-only access to a demo engine
* `bk_live_` — production key, full access to your engines

Both prefixes hit the same base URL: `https://api.barker.money`. The server reads the key prefix to scope permissions and rate limit — there is no separate sandbox host.

## Header

Every request must include:

```
X-Api-Key: bk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```

Missing or invalid key → `401 Unauthorized`.

## Rotation & revocation

In [Portal → API Keys](https://portal.barker.money/api-keys) you can:

* **Create** a new key (returned once in plaintext, then only the prefix is visible)
* **Revoke** any key (immediate, no grace period)
* View `last_used_at` and `last_used_ip` for each key

Best practice: rotate production keys every 90 days. Both old and new can be active during cutover.

## Storage on our side

Your plaintext key is **never stored**. We store:

* `key_hash`: bcrypt hash of the full key
* `key_prefix`: first 12 chars for UI/audit (e.g. `bk_live_a3F2`)

This means we cannot recover a lost key — you must rotate.
