> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stablegenius.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API key types, management, and security best practices

# Authentication

The Stable Genius API uses API keys for authentication. Include your key in the `Authorization` header of every request.

```bash theme={null}
Authorization: Bearer sk_test_abc123
```

## API Key Types

| Key Prefix | Environment | Description                                                 |
| ---------- | ----------- | ----------------------------------------------------------- |
| `sk_test_` | Sandbox     | Test payments on Base Sepolia testnet. No real money moves. |
| `sk_live_` | Production  | Real USDC payments on Base mainnet.                         |

<Warning>
  **Never expose your API keys in client-side code.** API keys should only be used in server-to-server requests. If a key is compromised, revoke it immediately from the dashboard.
</Warning>

## Getting Your API Keys

<Info>
  The Stable Genius API is currently in private beta. [Request early access](https://stablegenius.co/early-access) to receive your API keys.
</Info>

Once approved, you can manage API keys from the [developer dashboard](https://app.stablegenius.co/developers):

1. Navigate to **Settings → API Keys**
2. Click **Create API Key**
3. Copy the key immediately — it's only shown once
4. Store it securely (environment variables, secrets manager)

## Key Permissions

Each API key has access to all merchants associated with the integrator's account. A single key can create payment intents for multiple merchants.

## Key Rotation

To rotate a key without downtime:

1. Create a new API key in the dashboard
2. Update your integration to use the new key
3. Verify requests succeed with the new key
4. Revoke the old key

Both keys work simultaneously until you revoke the old one.

## Security Best Practices

* Store keys in environment variables or a secrets manager (never hardcode)
* Use `sk_test_` keys during development and CI/CD
* Rotate keys quarterly or immediately if compromised
* Use webhook signatures to verify events are from Stable Genius (see [Webhook Security](/api-reference/webhook-security))
* Restrict server egress to allow only `api.stablegenius.co` if possible
