> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pay.plexos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys and authentication

## API Keys

All API requests require a Bearer token in the `Authorization` header:

```bash theme={null}
Authorization: Bearer sk_test_YOUR_API_KEY
```

### Key Types

| Prefix     | Environment | Real Charges |
| ---------- | ----------- | ------------ |
| `sk_test_` | Sandbox     | No           |
| `sk_live_` | Production  | Yes          |

Both key types use the same API endpoint (`https://api.plexospay.com`). The key determines the environment.

### Creating an API Key

<Steps>
  <Step title="Sign in to the Dashboard">
    Go to [dashboard.plexospay.com](https://dashboard.plexospay.com)
  </Step>

  <Step title="Navigate to API Keys">
    Click **Settings** → **API Keys** in the sidebar
  </Step>

  <Step title="Create a key">
    Click **Create API Key**, give it a name, and copy the secret key.

    <Warning>The secret key is only shown once. Store it securely — you cannot retrieve it later.</Warning>
  </Step>
</Steps>

### Security Best Practices

<AccordionGroup>
  <Accordion title="Never expose your secret key in client-side code">
    API keys should only be used server-side. Never include them in JavaScript bundles, mobile apps, or public repositories.
  </Accordion>

  <Accordion title="Use environment variables">
    Store your API key in an environment variable like `PLEXOS_PAY_SECRET_KEY` rather than hardcoding it.
  </Accordion>

  <Accordion title="Rotate keys regularly">
    If you suspect a key has been compromised, revoke it immediately and create a new one from the dashboard.
  </Accordion>

  <Accordion title="Use test keys for development">
    Always use `sk_test_` keys during development. Switch to `sk_live_` only in production.
  </Accordion>
</AccordionGroup>
