> ## Documentation Index
> Fetch the complete documentation index at: https://docs.voicy.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate with the Voicy API

# Authentication

The Voicy API uses API keys for authentication. All requests must include your API key in the `Authorization` header.

## API Key Format

Voicy API keys follow this format:

```
voicy_sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```

* `voicy_sk_live_` - Prefix identifying this as a Voicy secret key
* `xxxx...` - 28 characters of cryptographically random data

## Using Your API Key

Include the API key as a Bearer token in the `Authorization` header:

```bash theme={null}
curl https://api.voicy.co/functions/v1/call-list \
  -H "Authorization: Bearer voicy_sk_live_your_key_here" \
  -H "Content-Type: application/json"
```

<Warning>
  **Keep your API keys secure!** Never commit them to source control or expose them in client-side code.
</Warning>

## Creating API Keys

<Steps>
  <Step title="Log in to the Dashboard">
    Go to [app.voicy.co](https://app.voicy.co) and sign in with your account.
  </Step>

  <Step title="Navigate to Account Settings">
    Click on **Account** in the sidebar (for account admins) or go to **Accounts** and select your account (for global admins).
  </Step>

  <Step title="Create a New Key">
    Click **Create Key** and give it a descriptive name (e.g., "Production", "Development").
  </Step>

  <Step title="Copy Your Key">
    The full API key will only be shown once. Copy it immediately and store it securely.
  </Step>
</Steps>

<Info>
  API keys are scoped to your account. All calls made with a key will only access data within that account.
</Info>

## Key Security

### Storage Best Practices

| Do                                                 | Don't                           |
| -------------------------------------------------- | ------------------------------- |
| Store in environment variables                     | Commit to git repositories      |
| Use secrets management (AWS Secrets Manager, etc.) | Hardcode in application code    |
| Rotate keys periodically                           | Share keys between environments |
| Use separate keys for dev/staging/prod             | Log full API keys               |

### How Keys Are Stored

Your API keys are stored securely using industry-standard practices:

* **Never stored in plaintext** - We only store a SHA-256 hash
* **Prefix stored separately** - Enables fast O(1) lookup
* **Same pattern as Stripe, GitHub, OpenAI**

This means even Voicy engineers cannot retrieve your API key after creation.

## Revoking Keys

If a key is compromised:

1. Go to **Account Settings** in the dashboard
2. Find the compromised key in the list
3. Click the menu (⋮) and select **Revoke**
4. The key is immediately invalidated

Revoked keys return `401 Unauthorized` on all subsequent requests.

## Rate Limits

API keys are subject to rate limits based on your plan:

| Plan       | Requests/minute | Concurrent calls |
| ---------- | --------------- | ---------------- |
| Standard   | 60              | 10               |
| Enterprise | 600             | 100              |

See [Rate Limits](/rate-limits) for more details.
