# Authentication

All API requests require authentication. There are three ways to authenticate:

| Method | Scenario |
|--------|----------|
| API Key in `Authorization` header | Direct server connections |
| Token in `Authorization` header | End-user client connections |
| Token in sub-protocol header | Browser WebSocket connections |

!!! warning
    API keys are confidential and must never be exposed externally, for example to end-users. Do not include them in client-side code, browser requests, or mobile apps. Use tokens instead.

## API Key

The simplest way to authenticate server-to-server calls. Include your API key directly in the `Authorization` header — no token exchange required.

```
Authorization: ApiKey <your_api_key>
```

API keys are scoped to a client and can be created and managed from the [console](https://console.reson8.dev){target="_blank"}.

## Token

For client-side applications, use a short-lived access token instead of exposing your API key. Your server requests a token using the API key, then passes the token to the client.

```
Authorization: Bearer <your_access_token>
```

See the [token endpoint](../../api/auth/token.md) for how to obtain an access token.

## Token in Browser

Browser WebSocket APIs do not support custom headers. As an alternative, pass the access token via the `Sec-WebSocket-Protocol` header:

```
Sec-WebSocket-Protocol: bearer, <your_access_token>
```

In JavaScript, the browser WebSocket API sets this header automatically:

```javascript
const ws = new WebSocket(url, ["bearer", accessToken]);
```