> ## Documentation Index
> Fetch the complete documentation index at: https://developer.obiex.finance/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate your API requests

Most API calls on Obiex are authenticated. API requests made without authorization will fail with status code `401: Unauthorized`.

## Getting Your API Credentials

1. Create an [Obiex Staging account](https://staging.app.obiex.finance/auth/signup)
2. Log in to your [Obiex Staging dashboard](https://staging.app.obiex.finance/auth/login)
3. Navigate to **Settings** > **Developers** > **API Keys**
4. Click **Create API Keys** to generate your keys

### Your Keys

| Key            | Description                                           |
| -------------- | ----------------------------------------------------- |
| **API Key**    | Used in request headers to authenticate your requests |
| **Secret Key** | Used to sign your requests; never expose publicly     |

<Warning>
  If you think your keys may have been compromised, immediately generate new ones from your dashboard: **Settings** > **API Keys** > **Generate new keys**
</Warning>

## Authorizing API Calls

To authorize API calls, include these headers:

| Header            | Description                             |
| ----------------- | --------------------------------------- |
| `X-API-KEY`       | Your API key                            |
| `X-API-TIMESTAMP` | Number of milliseconds since Unix epoch |
| `X-API-SIGNATURE` | SHA256 HMAC signature of the request    |

### Signature Generation

The signature is generated by creating an HMAC SHA256 of the following concatenated string:

```
{http_method}{request_path}{request_timestamp}
```

<Note>
  The `request_path` must include the full path including `/v1`. For example: `/v1/addresses/me/broker`
</Note>

**Example in Node.js:**

```typescript theme={null}
import { createHmac } from 'crypto';

function signRequest(method: string, url: string, apiSecret: string) {
  const timestamp = Date.now();
  const path = url.startsWith('/') ? url : `/${url}`;
  const content = `${method.toUpperCase()}${path}${timestamp}`;
  
  const signature = createHmac('sha256', apiSecret)
    .update(content)
    .digest('hex');
    
  return { timestamp, signature };
}
```

### Complete Example

```typescript theme={null}
import axios from 'axios';
import { createHmac } from 'crypto';

const apiKey = 'YOUR_API_KEY';
const apiSecret = 'YOUR_SECRET_KEY';

const client = axios.create({
  baseURL: 'https://staging.api.obiex.finance',
});

client.interceptors.request.use((config) => {
  const timestamp = Date.now();
  const path = config.url || '';
  const content = `${config.method?.toUpperCase()}${path}${timestamp}`;
  
  const signature = createHmac('sha256', apiSecret)
    .update(content)
    .digest('hex');
    
  config.headers['X-API-KEY'] = apiKey;
  config.headers['X-API-TIMESTAMP'] = timestamp.toString();
  config.headers['X-API-SIGNATURE'] = signature;
  
  return config;
});

// Make authenticated request
const response = await client.get('/v1/addresses/me/broker');
```

## Security Best Practices

* **Never** commit your API keys to Git
* **Never** expose keys in client-side JavaScript
* Store keys as environment variables
* Rotate keys immediately if compromised
