> ## Documentation Index
> Fetch the complete documentation index at: https://docs.baytos.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Claro REST API

The Claro API uses API keys to authenticate requests. All API requests must include a valid API key in the `Authorization` header using Bearer authentication.

## Getting Your API Key

<Steps>
  <Step title="Log into Claro">
    Navigate to [claro.baytos.ai](https://claro.baytos.ai) and sign in to your account
  </Step>

  <Step title="Access API Keys">
    Click **API Keys** from the sidebar navigation
  </Step>

  <Step title="Create New Key">
    Click **Create API Key** and give it a descriptive name (e.g., "Production Server", "Development")
  </Step>

  <Step title="Copy and Save">
    Copy the API key immediately and store it securely

    <Warning>
      You won't be able to see the API key again after closing the dialog. If you lose it, you'll need to create a new one.
    </Warning>
  </Step>
</Steps>

## API Key Format

API keys follow this format:

```
sk_live_1234567890abcdefghijklmnopqrstuvwxyz1234567890
```

* Prefix: `sk_live_` for production keys, `sk_test_` for test keys
* Length: 50 characters total
* Encoding: Base62 (alphanumeric)

<Note>
  Test keys (with `sk_test_` prefix) are not yet available but will be coming soon for sandbox environments.
</Note>

## Making Authenticated Requests

Include your API key in the `Authorization` header using the `Bearer` scheme:

### cURL Example

```bash theme={null}
curl https://api.baytos.ai/v1/prompts \
  -H "Authorization: Bearer sk_live_your_api_key_here"
```

### Python Example

Using the SDK (recommended):

```python theme={null}
from baytos.claro import BaytClient

client = BaytClient(api_key="sk_live_your_api_key_here")
prompt = client.get_prompt("@workspace/my-prompt:v1")
```

Using requests library:

```python theme={null}
import requests

headers = {
    "Authorization": "Bearer sk_live_your_api_key_here",
    "Content-Type": "application/json"
}

response = requests.get(
    "https://api.baytos.ai/v1/prompts",
    headers=headers
)
```

### JavaScript Example

Using fetch:

```javascript theme={null}
const response = await fetch('https://api.baytos.ai/v1/prompts', {
  headers: {
    'Authorization': 'Bearer sk_live_your_api_key_here',
    'Content-Type': 'application/json'
  }
});

const data = await response.json();
```

Using axios:

```javascript theme={null}
import axios from 'axios';

const client = axios.create({
  baseURL: 'https://api.baytos.ai/v1',
  headers: {
    'Authorization': 'Bearer sk_live_your_api_key_here',
    'Content-Type': 'application/json'
  }
});

const response = await client.get('/prompts');
```

## Environment Variables

Store your API key in environment variables rather than hardcoding it:

### Bash/Zsh

```bash theme={null}
export BAYT_API_KEY="sk_live_your_api_key_here"
```

Add to `~/.bashrc` or `~/.zshrc` to persist across sessions.

### Python (.env file)

```bash theme={null}
# .env
BAYT_API_KEY=sk_live_your_api_key_here
```

Load with python-dotenv:

```python theme={null}
import os
from dotenv import load_dotenv
from baytos.claro import BaytClient

load_dotenv()

client = BaytClient(api_key=os.getenv("BAYT_API_KEY"))
```

### Node.js (.env file)

```bash theme={null}
# .env
BAYT_API_KEY=sk_live_your_api_key_here
```

Load with dotenv:

```javascript theme={null}
require('dotenv').config();

const apiKey = process.env.BAYT_API_KEY;
```

## Security Best Practices

<AccordionGroup>
  <Accordion title="Never commit API keys to version control">
    Add your API keys to `.gitignore`:

    ```bash theme={null}
    # .gitignore
    .env
    .env.local
    .env.production
    ```

    Use environment variables or secret management services instead.
  </Accordion>

  <Accordion title="Use different keys for different environments">
    Create separate API keys for:

    * Development/testing
    * Staging
    * Production

    This allows you to rotate keys without affecting all environments.
  </Accordion>

  <Accordion title="Rotate keys regularly">
    Create a new API key, update your application, then delete the old key.

    We recommend rotating production keys at least every 90 days.
  </Accordion>

  <Accordion title="Delete unused keys">
    Regularly audit your API keys in the Claro dashboard and delete any that are no longer needed.
  </Accordion>

  <Accordion title="Use server-side authentication only">
    Never expose API keys in client-side code (JavaScript in browsers, mobile apps, etc.).

    Always make API calls from your backend server.
  </Accordion>
</AccordionGroup>

## Authentication Errors

### 401 Unauthorized

Your API key is missing or invalid:

```json theme={null}
{
  "error": {
    "code": "unauthorized",
    "message": "Invalid API key"
  }
}
```

Solutions:

* Verify the API key is correct
* Check that you're using the `Bearer` prefix
* Ensure the key hasn't been deleted from your Claro account

### 403 Forbidden

Your API key is valid but doesn't have permission to access the resource:

```json theme={null}
{
  "error": {
    "code": "forbidden",
    "message": "Insufficient permissions"
  }
}
```

Solutions:

* Verify you have access to the workspace
* Check that the prompt exists and you have permission to view it
* Ensure your workspace subscription is active

## Testing Authentication

Test your API key with the health endpoint:

```bash theme={null}
curl https://api.baytos.ai/v1/health \
  -H "Authorization: Bearer sk_live_your_api_key_here"
```

Expected response:

```json theme={null}
{
  "status": "ok",
  "timestamp": "2024-01-15T10:30:00Z"
}
```

## Next Steps

<CardGroup cols={2}>
  <Card title="Rate Limits" icon="gauge" href="/api-reference/rate-limits">
    Learn about API rate limits and how to handle them
  </Card>

  <Card title="Error Handling" icon="shield" href="/api-reference/errors">
    Understand error responses and how to handle them
  </Card>

  <Card title="Quick Start" icon="rocket" href="/quickstart">
    Get started making your first API call
  </Card>

  <Card title="Python SDK" icon="python" href="/sdk/python/installation">
    Use the Python SDK for easier authentication
  </Card>
</CardGroup>
