> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fabraix.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Authentication
> Learn how to authenticate with the Fabraix API
## Overview
The Fabraix API uses API keys to authenticate requests. You can view and manage your API keys in the [Fabraix Dashboard](https://app.fabraix.com/).
Your API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.
## Authentication Method
All API requests must include your API key in the `x-api-key` header:
```bash cURL theme={null}
curl https://api.fabraix.com/v1/register-agent-run \
-H "x-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"agent_id": "a1b2c3d4-e5f6-7890-1234-567890abcdef",
"timestamp": "2024-01-01T00:00:00Z",
"system_prompt": "You are a helpful assistant"
}'
```
```python Python theme={null}
import requests
headers = {
"x-api-key": "YOUR_API_KEY",
"Content-Type": "application/json"
}
response = requests.post(
"https://api.fabraix.com/v1/register-agent-run",
headers=headers,
json={
"agent_id": "a1b2c3d4-e5f6-7890-1234-567890abcdef",
"timestamp": "2024-01-01T00:00:00Z",
"system_prompt": "You are a helpful assistant"
}
)
```
```javascript JavaScript theme={null}
const headers = {
'x-api-key': 'YOUR_API_KEY',
'Content-Type': 'application/json'
};
fetch('https://api.fabraix.com/v1/register-agent-run', {
method: 'POST',
headers: headers,
body: JSON.stringify({
agent_id: 'a1b2c3d4-e5f6-7890-1234-567890abcdef',
timestamp: '2024-01-01T00:00:00Z',
system_prompt: 'You are a helpful assistant'
})
});
```
## API Key Types
Fabraix provides different types of API keys for different use cases:
For local development and testing. These keys have relaxed rate limits but should never be used in production.
For production deployments. These keys have higher rate limits and access to production features.
Keys with limited scope for specific operations. Perfect for client-side applications or third-party integrations.
Full access keys for administrative operations. Use with extreme caution.
## Managing API Keys
### Creating a New API Key
1. Navigate to the [API Keys page](https://app.fabraix.com/settings) in your dashboard
2. Click "Create New Key"
3. Select the key type and permissions
4. Give your key a descriptive name
5. Copy the key immediately - it won't be shown again!
### Rotating API Keys
We recommend rotating your API keys regularly:
Generate a new API key with the same permissions as the old one
Deploy your application with the new API key
Ensure your application is working correctly with the new key
Delete the old API key from your dashboard
### Revoking API Keys
To immediately revoke an API key:
1. Go to the [API Keys page](https://app.fabraix.com/settings)
2. Find the key you want to revoke
3. Click the "Delete" button
4. Confirm the deletion
Revoking an API key is immediate and irreversible. Make sure you have updated your applications to use a different key before revoking.
## Security Best Practices
### Environment Variables
Never hardcode API keys in your source code. Use environment variables instead:
```bash .env theme={null}
FABRAIX_API_KEY=your_api_key_here
```
```python Python theme={null}
import os
from dotenv import load_dotenv
load_dotenv()
API_KEY = os.getenv('FABRAIX_API_KEY')
if not API_KEY:
raise ValueError("FABRAIX_API_KEY environment variable not set")
```
```javascript JavaScript theme={null}
require('dotenv').config();
const API_KEY = process.env.FABRAIX_API_KEY;
if (!API_KEY) {
throw new Error('FABRAIX_API_KEY environment variable not set');
}
```
### Secret Management
For production environments, use a proper secret management system:
* **AWS**: AWS Secrets Manager or Parameter Store
* **Azure**: Azure Key Vault
* **Google Cloud**: Secret Manager
* **Kubernetes**: Kubernetes Secrets
* **HashiCorp**: Vault
### Client-Side Security
Never expose your secret API keys in client-side code. For browser-based applications, use:
1. A backend proxy that adds the API key to requests
2. Restricted keys with limited permissions
3. Short-lived tokens generated by your backend
## Rate Limiting
API keys are subject to rate limiting to ensure fair usage:
| Key Type | Requests per Minute | Requests per Hour |
| ----------- | ------------------- | ----------------- |
| Development | 60 | 1,000 |
| Production | 600 | 10,000 |
| Enterprise | Custom | Custom |
When you exceed the rate limit, you'll receive a `429 Too Many Requests` response:
```json theme={null}
{
"error": {
"message": "Rate limit exceeded",
"type": "rate_limit_error",
"retry_after": 30
}
}
```
## Error Responses
Authentication failures will return appropriate HTTP status codes:
### 401 Unauthorized
Missing or invalid API key:
```json theme={null}
{
"error": {
"message": "Invalid API key provided",
"type": "authentication_error",
"code": "invalid_api_key"
}
}
```
### 403 Forbidden
Valid key but insufficient permissions:
```json theme={null}
{
"error": {
"message": "API key does not have permission for this operation",
"type": "authorization_error",
"code": "insufficient_permissions"
}
}
```
## Need Help?
If you're having trouble with authentication:
1. Verify your API key is correct and active in the [dashboard](https://app.fabraix.com/settings)
2. Check that you're using the correct header name: `x-api-key`
3. Ensure your key has the necessary permissions for the operation
4. Contact [founders@fabraix.com](mailto:founders@fabraix.com) if issues persist