# Authentication

Learn how to authenticate your API requests to HivePay.

---

## API Keys

HivePay uses API keys to authenticate requests. Your API key is generated during [merchant registration](/getting-started/registration/) and grants access to:

- Create and manage payment sessions
- View payment history and details
- Update merchant settings
- Configure webhooks

---

## Using Your API Key

Include your API key in the `Authorization` header of every API request:

+++ TypeScript
```typescript
import { HivePay } from '@hivepay/client';

const hivepay = new HivePay({
  apiKey: 'sk_live_xxxxxxxxxxxxx'
});

// All subsequent requests are authenticated
const payment = await hivepay.payments.create({
  amount: '10000',
  currency: 'HIVE',
  description: 'Order #123'
});
```
+++ cURL
```bash
curl https://hivepay.me/api/public/payments \
  -H "Authorization: Bearer sk_live_xxxxxxxxxxxxx"
```
+++ JavaScript (fetch)
```javascript
const response = await fetch('https://hivepay.me/api/public/payments', {
  headers: {
    'Authorization': 'Bearer sk_live_xxxxxxxxxxxxx',
    'Content-Type': 'application/json'
  }
});
```
+++

---

## API Key Format

HivePay API keys follow this format:

```
sk_live_xxxxxxxxxxxxx
```

- `sk_` - Indicates a secret key
- `live_` - Environment identifier
- `xxxxxxxxxxxxx` - Unique identifier

---

## Security Best Practices

### Do

- Store API keys in environment variables, not in code
- Use secrets management systems in production
- Rotate keys if you suspect they've been compromised
- Use separate keys for development and production (when available)

### Don't

- Commit API keys to version control
- Share API keys in public forums or code snippets
- Include API keys in client-side JavaScript
- Log API keys or include them in error messages

---

## Environment Variables

Store your API key in environment variables:

+++ Node.js
```typescript
// .env file
HIVEPAY_API_KEY=sk_live_xxxxxxxxxxxxx

// Application code
import { HivePay } from '@hivepay/client';

const hivepay = new HivePay({
  apiKey: process.env.HIVEPAY_API_KEY
});
```
+++ Bash
```bash
export HIVEPAY_API_KEY=sk_live_xxxxxxxxxxxxx
```
+++

---

## Lost API Key

If you lose your API key, you cannot retrieve it. Contact [support](/support/) to:

1. Deactivate your existing key
2. Generate a new API key

!!!warning
When a new key is generated, your old key becomes invalid immediately. Update your application with the new key before deactivating the old one.
!!!

---

## Authentication Errors

| Status Code | Error Code | Description |
|-------------|------------|-------------|
| 401 | `AUTHENTICATION_ERROR` | Missing or invalid API key |
| 403 | `FORBIDDEN_ERROR` | Valid key but insufficient permissions |

+++ TypeScript
```typescript
import { isHivePayError } from '@hivepay/client';

try {
  await hivepay.payments.create({ ... });
} catch (error) {
  if (isHivePayError(error) && error.isAuthError()) {
    console.error('Invalid or missing API key');
  }
}
```
+++