> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bridgly.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How Bridgly API keys work and how to keep them secure.

## API keys

Every request is authenticated with a Bridgly API key. A key looks like this:

```
bgly_Xf8s2Kd9...q1Zn
```

Send it on every call as a bearer token in the `Authorization` header:

```bash theme={null}
curl https://api.bridgly.app/reddit/get-user \
  -H "Authorization: Bearer bgly_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{ "username": "spez" }'
```

Calls are billed to the account the key belongs to. You can create as many keys
as you like — for example, one per environment or per service — and revoke any
of them without affecting the others.

## Managing keys

Keys are managed from the **API Keys** page of your
[dashboard](https://bridgly.app/dashboard):

<Steps>
  <Step title="Create">
    Click **Create key**, give it an optional name, and copy the value shown.
  </Step>

  <Step title="Use">
    Add it to your app as an environment variable and send it on every request.
  </Step>

  <Step title="Revoke">
    Delete a key from the dashboard when it is no longer needed or may be
    compromised. Revocation takes effect within moments.
  </Step>
</Steps>

<Warning>
  A key's secret is shown **once**, at creation. We store only a hash, so we can
  never display it again. If you lose a key, revoke it and create a new one.
</Warning>

## Keeping keys safe

<CardGroup cols={2}>
  <Card title="Keep keys server-side" icon="shield-halved">
    Never ship a key in a browser, mobile app, or public repository. Anyone with
    the key can spend your credits.
  </Card>

  <Card title="Use one key per service" icon="layer-group">
    Separate keys make it easy to rotate or revoke one without disrupting the
    rest of your integration.
  </Card>

  <Card title="Rotate periodically" icon="rotate">
    Create a new key, switch your app over, then revoke the old one.
  </Card>

  <Card title="Revoke on exposure" icon="triangle-exclamation">
    If a key leaks, delete it immediately from the dashboard.
  </Card>
</CardGroup>

## Errors

A missing, malformed, or revoked key returns `401 Unauthorized`:

```json theme={null}
{
  "status": "error",
  "message": "Invalid API key"
}
```

If your account is out of credits, calls return `402 Payment Required`. Top up
from the **Billing** page of your dashboard. See
[Responses & errors](/responses) for the full list of status codes.
