> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ai-stats.phaseo.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate requests with bearer API keys and manage key lifecycle safely.

All Gateway requests require a bearer API key.

Create and manage keys in the AI Stats dashboard.

<Note>
  Calls to `:free` models can run with zero deposited credits. Paid-model calls require available wallet balance.
</Note>

## Using an API key

Include your API key in the `Authorization` header using the `Bearer` scheme:

```bash theme={null}
curl https://api.phaseo.app/v1/responses \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "openai/gpt-5-nano",
    "input": "Hello!"
  }'
```

## Key format and handling

* Key format: `aistats_v1_sk_<kid>_<secret>`
* Store keys in a secrets manager, not in browser code.
* Use separate keys per app/environment for safer rotation.

## Management keys

Management API keys are created and managed in the AI Stats dashboard, not through the public API.

Use them for elevated administration endpoints such as [Credits](./endpoint/credits.mdx) and [Activity](./endpoint/activity.mdx), and for future control-plane APIs like guardrails, key management, and workspace management.

## Authentication failures

* `401`: Missing, malformed, or invalid API key.
* `403`: Key is valid but cannot access the requested capability.

## Related pages

* [Limits](./limits.mdx)
* [Errors and Debugging](./errors.mdx)

If you are implementing authentication flows as an agent:

* Use repository skills for secret handling and environment wiring.
* Never place gateway API keys in client-delivered code.
* Prefer short-lived internal tokens between frontend and your backend, with gateway keys only server-side.