# Authentication

All requests are authenticated with a bearer token sent in the `Authorization` header. The API does not use OAuth, sessions, or per-request signing.

## Header format

```
Authorization: Bearer YOUR_KEY
```

Requests without this header return `401 Unauthorized`. Invalid keys return `401` with `{ "error": { "code": "unauthorized" } }` in the response body.

## Quickstart

Confirm a key is active by requesting any tracked ticker.

```shell
curl "https://api.tickerbot.io/v2/tickers/AAPL" \
  -H "Authorization: Bearer YOUR_KEY"
```

A `200` indicates the key is valid. `401` indicates the key is missing or invalid; `403` indicates the key is valid but the requested capability is not included in the key's plan.

## Issuing keys

Keys are issued from the dashboard at https://tickerbot.io/api. The first key is shown after checkout; additional keys (for staging, CI, or per-environment isolation) are created from the dashboard.

Rate limits are per-key. Created resources — webhook subscriptions, custom signals, universes — are account-scoped: every key on the same account sees the same registry. Rotating a key never strands those resources.

## Plans and rate limits

Per-key rate limits and per-plan capacity (rate, webhook cadence, premium signals, news archive, custom signals) are documented in one place: https://tickerbot.io/pricing. Sign up and you get a 14-day free trial with every feature included — no credit card required.

## Handling keys

- Keys are credentials. Do not commit them to source control, embed them in mobile applications, or include them in browser bundles.
- Use separate keys for staging and production environments.
- Revoke exposed keys from the dashboard. Revocation takes effect immediately.