# Auth

All API requests require authentication using an API key.

Authentication is performed using a Bearer token in the Authorization header.

***

### API Key

Each account can generate one or more API keys from the dashboard.

API keys are:

* Unique per account
* Scoped to the account that created them
* Used for rate limiting

Keys should be stored securely and never exposed in client-side applications.

***

### Authorization Header

All requests must include:

```
Authorization: Bearer YOUR_API_KEY
```

Example:

```json
curl -X GET https://aurex.cash/api/dashboard/users/{userId} \
  -H "Authorization: Bearer YOUR_API_KEY"
```

Requests without a valid API key will return:

* HTTP 401
* Standard error response format

***

### Invalid API Key

If the API key is:

* Missing
* Incorrect
* Revoked
* Malformed

The API will return:

```json
{
  "success": false,
  "error": "Invalid or missing API key"
}
```

***

### Multiple API Keys

An account may generate multiple API keys.

Each key:

* Shares the same account balance
* Has independent rate limiting
* Can be revoked individually

This allows separation between environments or services.

***

### Key Rotation

If a key is compromised:

1. Generate a new API key.
2. Update your integration.
3. Revoke the old key.

Revoked keys immediately lose access to all endpoints.

***

### Security Recommendations

* Store API keys in secure server environments only
* Do not embed API keys in frontend code
* Do not commit keys to public repositories
* Rotate keys periodically

> API keys provide full access to account resources.Anyone with access to the key can create users, issue cards, and move funds.