--- title: Authentication | 0ct description: Learn how to authenticate with the 0ct API --- # Authentication 0ct uses API keys to authenticate requests. This guide covers how to create, manage, and use API keys for accessing the 0ct API. ## Creating an API Key 1. Log in to your 0ct dashboard 2. Navigate to **Settings** → **API Keys** 3. Click **Generate New Key** 4. Give your key a descriptive name (e.g., “Production Server” or “CI/CD Pipeline”) 5. Copy the key immediately—it won’t be shown again! ## Using Your API Key ### SDK Authentication The recommended way to authenticate is using the 0ct SDK: ``` import Oct from '0ct'; const client = new Oct({ apiKey: process.env.OCT_API_KEY }); ``` ### Direct API Authentication For direct HTTP requests, include your API key in the `Authorization` header: Terminal window ``` curl https://0ct.com/api/promptly/tasks \ -H "Authorization: Bearer your-api-key-here" ``` ### Environment Variables We strongly recommend storing your API key in environment variables rather than hardcoding: Terminal window ``` # .env file OCT_API_KEY=sk_live_xxxxxxxxxxxxx ``` ``` // Your code const client = new Oct({ apiKey: process.env.OCT_API_KEY }); ``` ## API Key Scopes API keys in 0ct are scoped to your organization. A single key provides access to all resources within that organization: - Tasks (create, read, update, delete, run) - Sources (create, read, update, delete) - Skills (create, read, update, delete) - Destinations (create, read, update, delete) - Runs (read) - Usage statistics (read) ## Security Best Practices ### Do ✅ Store API keys in environment variables\ ✅ Use different keys for development and production\ ✅ Rotate keys periodically\ ✅ Revoke unused keys immediately\ ✅ Use secrets managers in production (AWS Secrets Manager, HashiCorp Vault, etc.) ### Don’t ❌ Commit API keys to version control\ ❌ Share keys between team members (each person should have their own)\ ❌ Include keys in client-side code\ ❌ Log API keys in application logs\ ❌ Send keys over unencrypted channels ## Key Rotation To rotate an API key: 1. Generate a new key in **Settings** → **API Keys** 2. Update your application to use the new key 3. Verify the new key works in production 4. Revoke the old key ## Rate Limits API requests are rate-limited to ensure fair usage: | Plan | Requests per minute | | ---------- | ------------------- | | Free | 60 | | Pro | 300 | | Enterprise | Custom | Rate limit headers are included in every response: ``` X-RateLimit-Limit: 300 X-RateLimit-Remaining: 299 X-RateLimit-Reset: 1706745600 ``` ## Error Handling Authentication errors return a `401 Unauthorized` response: ``` { "error": { "code": "unauthorized", "message": "Invalid or missing API key" } } ``` Common causes: - Missing `Authorization` header - Invalid API key format - Revoked or expired key - Key from a different organization ## SDK Error Handling The SDK throws typed errors for authentication issues: ``` import Oct, { AuthenticationError } from '0ct'; const client = new Oct({ apiKey: process.env.OCT_API_KEY }); try { const tasks = await client.promptly.tasks.list(); } catch (error) { if (error instanceof AuthenticationError) { console.error('Invalid API key'); // Handle authentication error } throw error; } ``` ## Next Steps With authentication set up, you’re ready to: - [Create your first task](/getting-started/quickstart/index.md) - [Connect data sources](/guides/sources/index.md) - [Explore the API reference](/api/index.md)