> ## Documentation Index
> Fetch the complete documentation index at: https://docs.onstacks.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Use workspace API keys as bearer tokens for API requests.

The Onstacks API uses workspace API keys. Send the key as a bearer token in the `Authorization` header.

```http theme={null}
Authorization: Bearer <api_key>
```

## API key format

Use the key value returned when the workspace API key is created. The API only returns the full token once.

Store the token in a secret manager or server-side environment variable:

```bash theme={null}
export ONSTACKS_API_KEY="osk_test_..."
```

## Example request

```bash theme={null}
curl "$ONSTACKS_API_URL/v1/balances?environment=sandbox" \
  -H "Authorization: Bearer $ONSTACKS_API_KEY"
```

## Environments

Most resource routes accept `environment=sandbox` or `environment=live`.

Use separate API keys for sandbox and live access when your workspace policy requires environment separation.

## Scopes

API keys can be created with scopes such as:

* `wallets:read`
* `transfers:read`
* `transfers:create`
* `transfers:approve`
* `api_keys:manage`
* `admin:*`

Use the narrowest scope set required by the integration.

## Security practices

* Keep live API keys on trusted servers.
* Do not place API keys in browser bundles, mobile apps, public repositories, or logs.
* Rotate keys on a regular schedule.
* Revoke keys immediately when they are no longer needed.
* Use `sandbox` keys for test automation.