# Authentication

All requests are authenticated with a bearer token sent in the `Authorization` header. The API does not use OAuth, sessions, or per-request signing.

## Header format

```
Authorization: Bearer YOUR_KEY
```

Requests without this header return `401 Unauthorized`. Invalid keys return `401` with `{ "error": { "code": "unauthorized" } }` in the response body.

## Quickstart

Confirm a key is active by requesting any tracked ticker.

```shell
curl https://api.tickerbot.io/v2/tickers/AAPL \
  -H "Authorization: Bearer YOUR_KEY"
```

A `200` indicates the key is valid. `401` indicates the key is missing or invalid; `403` indicates the key is valid but the requested capability is not included in the key's plan.

## Issuing keys

Keys are issued from the dashboard at https://tickerbot.io/api. The first key is shown after checkout; additional keys (for staging, CI, or per-environment isolation) are created from the dashboard.

Keys are independent. Usage counts, rate limits, and webhook ownership are scoped to the issuing key, not the account. Rotating a key does not transfer ownership of resources created by the previous key.

## Plans and rate limits

Per-key rate limits and per-plan capacity (universes, rules, webhooks, history depth) are documented in one place: https://tickerbot.io/pricing. Every plan starts with a 14-day free trial; cancel anytime.

## Handling keys

- Keys are credentials. Do not commit them to source control, embed them in mobile applications, or include them in browser bundles.
- Use separate keys for staging and production environments.
- Revoke exposed keys from the dashboard. Revocation takes effect immediately.