# Authentication

> How to authenticate Tradavity Public API requests with a Bearer token or X-API-Key header.
> Source: https://help.tradavity.com/api-docs/authentication
> Category: Core Concepts

---

Every request must carry your API key in one of two headers:

```
Authorization: Bearer tvty_YOUR_KEY_HERE
```

or, for clients that cannot set `Authorization`:

```
X-API-Key: tvty_YOUR_KEY_HERE
```

Keys passed via query string are **rejected** — they leak into proxy access logs.

Authentication failures return HTTP `401` with one of these error codes:

| Code | Reason |
| --- | --- |
| `unauthorized` | Missing, malformed, or invalid key |
| `key_revoked` | Key was explicitly revoked in settings |
| `key_expired` | Key reached its `expires_at` date |

### Key storage

Keys are stored as a SHA-256 hash on our servers — we cannot show you the plaintext after you create the key. Lose it and you have to revoke and create a new one. Pre-existing keys created before 2026-05 are still valid but cannot be displayed in full anymore.

### Multiple keys per account

You can have up to 25 active keys at a time. Each key has its own name, scopes, and rate-limit window. Use separate keys per integration (e.g. one for your AI agent, one for a mobile script, one for backups) so you can revoke them independently if anything leaks.

Next: [Scopes](https://help.tradavity.com/api-docs/scopes).