# Authentication Every SwissPay API request is authenticated with a bearer token. ## The Authorization header ``` Authorization: Bearer sk_test_... ``` Send this header on every request. No header, or an unknown key, returns: ``` HTTP/1.1 401 Unauthorized { "error": { "code": "missing_api_key", "message": "Authorization header missing or invalid" } } ``` ## Where keys come from * **Dashboard:** Developers → API keys. * Click **Create key**, pick a scope, click **Create**. * **You only see the plaintext key once** at creation. Copy it immediately into your secrets manager. If you lose it, revoke it and create a new one. ## Test keys Test keys start with `sk_test_...` and only work against `https://staging.swisspay.ai`. ## Rotation Best practice: * Rotate keys at least every 90 days, and immediately on a known or suspected compromise. * Roll forward: create the new key, deploy it, verify, then revoke the old key. * Use a separate key per service / integration so you can revoke just one when needed. ## What to never do * Never embed a key in client-side code (mobile apps, browser JavaScript). * Never commit a key to a git repository. * Never include a key in a support ticket — share the **key ID** instead. * Never send a key in email or chat. ## Suspecting a leak If you think a key has leaked: 1. Revoke it in the dashboard immediately. 2. Create a replacement. 3. Email with the key ID, the suspected leak channel, and the rough timeline. Don't include the plaintext key. We will review API access logs for the affected key. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://support.swisspay.ai/api-reference/authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.