> ## Documentation Index
> Fetch the complete documentation index at: https://docs.trycactus.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys, environments, and keeping credentials safe.

Every request carries an API key in the `Authorization` header:

```
Authorization: Bearer ck_live_...
```

Keys are issued by Cactus at kickoff and can be rotated or revoked at any
time — contact your Cactus representative to manage keys.

## Live and sandbox keys

| Prefix        | Environment               | Billing                |
| ------------- | ------------------------- | ---------------------- |
| `ck_live_`    | Real processing           | Debits your usage pool |
| `ck_sandbox_` | Instant fixture responses | Never billed           |

Both key types use the same base URL and identical request shapes, so
switching your integration from sandbox to live is a one-variable change.

## Key safety

* Keys are shown once at issuance and cannot be recovered — store them in a
  secrets manager.
* Send keys only in the `Authorization` header over HTTPS. Never embed them
  in client-side code or URLs.
* If a key may have been exposed, ask us to rotate it — a replacement is
  issued immediately and the old key is revoked.

## Errors

Requests without a valid key return `401` with a machine-readable `code`
(`missing_api_key`, `invalid_api_key`, `revoked_api_key`, or
`expired_api_key`). A key lacking access to a product returns `403` with
`missing_scope`.
