> ## Documentation Index
> Fetch the complete documentation index at: https://docs.0xinsider.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys, headers, and what to do if a key leaks.

Every request except `/health` uses a Bearer token:

```bash theme={null}
Authorization: Bearer oxi_sk_live_...
```

## The key

| Property                | Value                                                        |
| ----------------------- | ------------------------------------------------------------ |
| Format                  | `oxi_sk_live_` + 64 hex chars (76 chars total)               |
| Storage on our side     | HMAC-SHA256 hash. We never store plaintext.                  |
| Active keys per account | 1. Regenerating revokes the old key.                         |
| Where to generate       | [0xinsider.com/developers](https://0xinsider.com/developers) |

The key shows **once**, at generation. After that the dashboard shows only the prefix (`oxi_sk_live_XXXX`) so you can identify it.

## Generate a key

1. Log in at [0xinsider.com](https://0xinsider.com).
2. Open [Developers](https://0xinsider.com/developers).
3. Click **Generate Key**.
4. Copy it immediately.

## Common mistakes

<AccordionGroup>
  <Accordion title="Missing 'Bearer' prefix in the header">
    Wrong:

    ```
    Authorization: oxi_sk_live_...
    ```

    Right:

    ```
    Authorization: Bearer oxi_sk_live_...
    ```

    Without the `Bearer` prefix you get `401 invalid_api_key`.
  </Accordion>

  <Accordion title="Pasting only part of the key">
    The full key is 76 characters. Anything shorter is a partial copy.
  </Accordion>

  <Accordion title="Hitting an authenticated endpoint without a subscription">
    A valid key with an expired subscription returns `402 subscription_required`. Re-subscribe at [pricing](https://0xinsider.com/pricing); the same key resumes.
  </Accordion>

  <Accordion title="Reusing an old key after regenerating">
    Regenerating revokes the old key in the same call. Update every place it lives: `.env` files, deployed secrets, MCP configs.
  </Accordion>
</AccordionGroup>

## If a key leaks

Treat it like any production secret:

1. Go to [Developers](https://0xinsider.com/developers).
2. Click **Regenerate Key**. The old key dies immediately.
3. Roll the new key into every consumer: bots, MCP configs, CI secrets, dashboards.

## Key management endpoints

These manage *your own* keys from the dashboard. They use the session cookie (JWT), not an API key, so you can't call them from a script with `oxi_sk_live_...`.

| Action     | Method   | Endpoint               |
| ---------- | -------- | ---------------------- |
| Create key | `POST`   | `/api/keys`            |
| List keys  | `GET`    | `/api/keys`            |
| Revoke key | `DELETE` | `/api/keys/{id}`       |
| Regenerate | `POST`   | `/api/keys/regenerate` |

## A subscription-blocked response

```json theme={null}
{
  "object": "error",
  "error": {
    "code": "subscription_required",
    "message": "Active Insider subscription required.",
    "doc_url": "https://docs.0xinsider.com/authentication"
  }
}
```