> ## Documentation Index
> Fetch the complete documentation index at: https://cryptorobot.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Create and manage API keys for programmatic access

## Overview

API keys provide long-lived authentication for:

* Automated trading bots
* Server-to-server integrations
* CI/CD pipelines
* Third-party app integrations

Unlike JWT tokens, API keys don't expire automatically and can be scoped to specific permissions.

## Creating an API Key

```bash theme={null}
curl -X POST https://api.cryptorobot.ai/keys \
  -H "Authorization: Bearer eyJ..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My Trading Bot",
    "scopes": ["read:strategies", "read:exchanges", "write:traders"]
  }'
```

### Response

```json theme={null}
{
  "_id": "key-id-123",
  "name": "My Trading Bot",
  "key": "cr_live_a1b2c3d4e5f6...",
  "scopes": ["read:strategies", "read:exchanges", "write:traders"],
  "lastUsed": null,
  "createdAt": "2024-01-15T10:00:00Z"
}
```

<Warning>
  The full API key (`key` field) is only returned once at creation time. Store it securely — it cannot be retrieved again.
</Warning>

## Using an API Key

Include the key in the `Authorization` header with the `ApiKey` prefix:

```bash theme={null}
curl https://api.cryptorobot.ai/strategies \
  -H "Authorization: ApiKey cr_live_a1b2c3d4e5f6..."
```

<CodeGroup>
  ```javascript JavaScript theme={null}
  const api = axios.create({
    baseURL: 'https://api.cryptorobot.ai',
    headers: {
      'Authorization': 'ApiKey cr_live_a1b2c3d4e5f6...',
      'Content-Type': 'application/json'
    }
  });

  const { data } = await api.get('/strategies');
  ```

  ```python Python theme={null}
  import requests

  headers = {
      'Authorization': 'ApiKey cr_live_a1b2c3d4e5f6...',
      'Content-Type': 'application/json'
  }

  response = requests.get('https://api.cryptorobot.ai/strategies', headers=headers)
  ```
</CodeGroup>

## Available Scopes

| Scope              | Description                                      |
| ------------------ | ------------------------------------------------ |
| `read:strategies`  | View strategies, templates, indicators           |
| `write:strategies` | Create/update/delete strategies                  |
| `read:exchanges`   | View exchange connections, balances, market data |
| `write:exchanges`  | Create/update/delete exchange connections        |
| `read:traders`     | View trading bots and pod status                 |
| `write:traders`    | Create/start/stop trading bots                   |
| `read:portfolio`   | View trades, balance series, snapshots           |
| `read:insights`    | View market insights and signals                 |
| `read:models`      | View model signals and subscriptions             |
| `write:models`     | Subscribe/unsubscribe to signals                 |

## Managing API Keys

### List Keys

```bash theme={null}
curl https://api.cryptorobot.ai/keys \
  -H "Authorization: Bearer eyJ..."
```

### Revoke a Key

```bash theme={null}
curl -X DELETE https://api.cryptorobot.ai/keys/key-id-123 \
  -H "Authorization: Bearer eyJ..."
```

<Note>
  Revoking an API key is immediate. Any requests using that key will receive a `401` error.
</Note>

## Restricted Endpoints

When using API keys, certain endpoints enforce scope-based access through the `/restricted` path:

```bash theme={null}
# Access scoped data via API key
curl https://api.cryptorobot.ai/restricted?resource=strategies \
  -H "Authorization: ApiKey cr_live_..."
```

The restricted endpoint validates that your API key has the required scope for the requested resource.

## Best Practices

<Steps>
  <Step title="Use descriptive names">
    Name keys after their purpose: "Production Trading Bot", "Backtest Runner", "Portfolio Dashboard"
  </Step>

  <Step title="Apply least-privilege scopes">
    Only grant the scopes the integration actually needs. A monitoring dashboard only needs `read:*` scopes.
  </Step>

  <Step title="Rotate keys periodically">
    Create a new key, update your integration, then revoke the old key.
  </Step>

  <Step title="Use environment variables">
    Never hardcode API keys in source code. Use environment variables or secret managers.
  </Step>

  <Step title="Monitor usage">
    Check the `lastUsed` field to identify unused keys that should be revoked.
  </Step>
</Steps>
