> For the complete documentation index, see [llms.txt](https://docs.cryptoix.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cryptoix.io/developers/authentication.md). # Authentication This document outlines the authentication methods for interacting with the Cryptoix API. Securely authenticating your requests is crucial for accessing your merchant account data and performing actions on behalf of your business. ## API Key Generation and Management API keys are the primary mechanism for authenticating your applications with the Cryptoix API. They are unique credentials that grant programmatic access to your merchant account. ### Obtaining an API Key 1. **Log in** to your Cryptoix merchant dashboard. 2. Navigate to **Settings** > **API Keys**. 3. Click on the **"Generate New API Key"** button. 4. Provide a descriptive **label** for your API key (e.g., "E-commerce Platform Integration", "Reporting Tool"). 5. *Note: Specific scopes are not detailed in the current project understanding. For integrations, it is recommended to start with the minimum required permissions and expand only if necessary.* 6. Click **"Confirm"**. Your new API key will be displayed. **Treat your API key like a password.** For security reasons, it will only be shown once. Copy it immediately and store it in a secure location. ### Managing API Keys From the **API Keys** section in your dashboard, you can: * **View Existing Keys:** See a list of your generated API keys, their labels, and their associated permissions. * **Revoke Keys:** If an API key is compromised or no longer needed, you can revoke it immediately. This will disable all access associated with that key. * **Edit Key Labels:** Update the descriptive label for any of your API keys. **Best Practice:** Generate separate API keys for different applications or services. This allows you to manage permissions granularly and revoke access for a specific integration without affecting others. ## Authentication Methods The Cryptoix API supports authentication using API keys passed in the request headers. ### API Key Authentication All requests to the Cryptoix API must include your API key in the `Authorization` header. The key should be prefixed with `Bearer` . **Header Format:** ```http Authorization: Bearer YOUR_API_KEY ``` *Note: `YOUR_API_KEY` represents a secret token generated for your integration.* **Example Request:** ```http GET /api/v1/balance HTTP/1.1 Host: api.cryptoix.io Authorization: Bearer YOUR_API_KEY Accept: application/json ``` Replace `YOUR_API_KEY` with your actual API key. ### Error Responses for Authentication Failures If your API key is missing, invalid, or lacks the necessary permissions for a requested resource, the API will return an appropriate error response. * **`401 Unauthorized`:** Typically returned when the API key is missing or malformed. * **`403 Forbidden`:** Returned when the API key is valid but does not have the required permissions (scopes) to access the requested resource. **Example `401 Unauthorized` Response:** ```json { "status": "error", "message": "Authentication failed. Please provide a valid API key." } ``` **Example `403 Forbidden` Response:** ```json { "status": "error", "message": "Permission denied. The API key does not have the required scope for this action." } ``` ## Securing API Requests To ensure the security and integrity of your API interactions with Cryptoix, follow these best practices: ### 1. Securely Store Your API Keys * **Never embed API keys directly in client-side code** (e.g., JavaScript running in a browser). * **Store API keys in environment variables** on your server or in a secure configuration management system. * **Avoid committing API keys to version control systems** (e.g., Git). Use `.gitignore` to exclude sensitive files. ### 2. Use HTTPS * Always make API requests over HTTPS to encrypt data in transit between your application and the Cryptoix API endpoints. The Cryptoix API is only available over HTTPS. ### 3. Grant Least Privilege * When generating API keys, assign only the necessary permissions (scopes) required for the specific integration. This minimizes the potential impact if a key is compromised. ### 4. Monitor API Key Usage * Regularly review the API keys associated with your account in the Cryptoix merchant dashboard. * Revoke any keys that are no longer in use or that you suspect may have been compromised. ### 5. Implement Rate Limiting * The Cryptoix API enforces rate limits to prevent abuse and ensure fair usage. Be prepared to handle `429 Too Many Requests` responses by implementing retry logic with exponential backoff. * *Note: Specific rate limit details are not provided in the current project understanding. Please refer to the API reference documentation for any available details.* ### 6. Validate Webhook Signatures (If Applicable) * *Note: The current project understanding does not specify details regarding webhook signature validation. If this feature is implemented, consult the specific webhook documentation for details on the signature header and validation process.* ### 7. Handle Errors Gracefully * Implement robust error handling in your application to manage authentication failures (`401`, `403`), rate limiting (`429`), and other potential API errors. Provide informative feedback to users or log errors for debugging. By adhering to these security practices, you can ensure a safe and reliable integration with the Cryptoix API. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.cryptoix.io/developers/authentication.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.