# Authentication div strong 🔨 In Development — This section is still being developed and may change. Freddy API supports two authentication methods: API keys and Bearer tokens. Both methods provide secure access to the API endpoints. ## API Keys API keys are the primary authentication method for Freddy API. They provide simple, long-lived access to your account. ### Getting Your API Key 1. Visit [Freddy Hub](https://freddy-hub.aitronos.com/freddy/api) 2. Sign in to your account 3. Navigate to API Keys section 4. Generate a new API key 5. Copy and store the key securely ### Using API Keys Include the API key in the request header: ``` api-key: YOUR_API_KEY_HERE ``` ### Example Request ```bash curl https://api.freddy.aitronos.com/v1/models \ -H "api-key: $FREDDY_API_KEY" ``` ```python import requests response = requests.get( "https://api.freddy.aitronos.com/v1/models", headers={"api-key": api_key} ) ``` ```javascript const response = await fetch('https://api.freddy.aitronos.com/v1/models', { headers: { 'api-key': process.env.FREDDY_API_KEY } }); ``` ## Bearer Tokens Bearer tokens provide session-based authentication with automatic expiration and refresh capabilities. ### Getting Bearer Tokens Bearer tokens are obtained through the authentication endpoints: - Use your API key credentials to authenticate - Receive a JWT token in response - Include the token in subsequent requests ### Using Bearer Tokens Include the Bearer token in the Authorization header: ``` Authorization: Bearer YOUR_JWT_TOKEN_HERE ``` ### Example Request ```bash curl https://api.freddy.aitronos.com/v1/models \ -H "Authorization: Bearer $FREDDY_JWT_TOKEN" ``` ```python import requests response = requests.get( "https://api.freddy.aitronos.com/v1/models", headers={"Authorization": f"Bearer {jwt_token}"} ) ``` ```javascript const response = await fetch('https://api.freddy.aitronos.com/v1/models', { headers: { 'Authorization': `Bearer ${process.env.FREDDY_JWT_TOKEN}` } }); ``` ## Security Best Practices ### API Key Security - **Environment Variables**: Store API keys in environment variables, never in code - **Key Rotation**: Regularly rotate your API keys for enhanced security - **Minimal Permissions**: Create separate keys for different applications/use cases - **Secure Storage**: Never commit API keys to version control ### Bearer Token Security - **Token Storage**: Store tokens securely in memory or secure cookie storage - **Automatic Refresh**: Implement automatic token refresh before expiration - **Secure Transmission**: Always use HTTPS for API requests - **Token Revocation**: Implement proper logout to invalidate tokens ### General Security - **HTTPS Only**: Always use HTTPS for all API requests - **Request Validation**: Validate all input parameters on both client and server - **Rate Limiting**: Implement client-side rate limiting to avoid hitting API limits - **Error Handling**: Don't expose sensitive information in error messages ## Error Responses **401 Unauthorized** - Missing authentication header - Invalid or expired API key/token - Account suspended or disabled **403 Forbidden** - Valid authentication but insufficient permissions - API key doesn't have access to the requested resource ## Rate Limits Authentication method may affect rate limits: - API keys: Standard rate limits apply - Bearer tokens: May have different limits based on account type Check [Rate Limiting](/docs/documentation#rate-limiting) for detailed information. ## Troubleshooting ### Common Authentication Issues 1. **"Invalid API key"**: Verify the key is correct and not expired 2. **"Missing authentication"**: Ensure you're including the proper header 3. **"Insufficient permissions"**: Check if your key has access to the endpoint 4. **"Account suspended"**: Contact support if your account is disabled ### Getting Help - Check your [Freddy Hub dashboard](https://freddy-hub.aitronos.com) for account status - Review API key permissions and usage - Contact [support@aitronos.com](mailto:support@aitronos.com) for assistance