> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stablepay.global/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Secure your API requests with Bearer tokens

All API requests require authentication using a Bearer token in the Authorization header.

## API Keys

You'll receive an API key when you register as a partner. API keys look like:

```
pk_live_a1b2c3d4e5f6g7h8i9j0...
```

<Warning>
  Keep your API key secure. Never expose it in client-side code or public repositories.
</Warning>

## Making Authenticated Requests

Include your API key in the `Authorization` header:

```bash theme={null}
curl https://api.stablepay.global/v2/users \
  -H "Authorization: Bearer pk_live_your_api_key"
```

## Environments

| Environment | Base URL                               | Key Prefix    |
| ----------- | -------------------------------------- | ------------- |
| Production  | `https://api.stablepay.global`         | `pk_live_`    |
| Sandbox     | `https://sandbox-api.stablepay.global` | `pk_sandbox_` |

<Note>
  Use sandbox keys for testing. Sandbox transactions don't result in real payouts.
</Note>

## Error Responses

Authentication errors return `401 Unauthorized`:

```json theme={null}
{
  "error": "Unauthorized",
  "message": "Invalid or missing API key"
}
```

Rate limit errors return `429 Too Many Requests`:

```json theme={null}
{
  "error": "Rate Limit Exceeded",
  "message": "Too many requests. Please try again later.",
  "retryAfter": 60
}
```

## IP Whitelisting (Optional)

For additional security, you can whitelist IP addresses in the Dashboard. When enabled, requests from non-whitelisted IPs will be rejected.

## Webhook Signature Verification

Webhooks are signed using HMAC-SHA256. See the [Webhooks guide](/guides/webhooks#signature-verification) for implementation details.
