> ## Documentation Index
> Fetch the complete documentation index at: https://docs.orafi.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate requests to the Orafi API using API keys.

All requests to the Orafi API must include a valid API key in the `x-api-key` header. Your API key identifies your business and determines whether requests run in **test** or **live** mode.

***

## API key format

| Environment | Prefix      | Example                    |
| ----------- | ----------- | -------------------------- |
| Test        | `ora_test_` | `ora_test_a1b2c3d4e5f6...` |
| Live        | `ora_live_` | `ora_live_x9y8z7w6v5u4...` |

Both test and live keys are 32+ characters and available in your [Dashboard](https://dashboard.orafi.app).

***

## Making authenticated requests

Include your API key in the `x-api-key` header on every request:

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET https://api.orafi.app/transactions \
    -H "x-api-key: ora_test_your_api_key"
  ```

  ```javascript Node.js theme={null}
  const response = await fetch("https://api.orafi.app/transactions", {
    headers: {
      "x-api-key": "ora_test_your_api_key"
    }
  });
  ```

  ```python Python theme={null}
  import requests

  response = requests.get(
      "https://api.orafi.app/transactions",
      headers={"x-api-key": "ora_test_your_api_key"}
  )
  ```
</CodeGroup>

<Warning>
  Requests without a valid `x-api-key` header return a **401 Unauthorized** error.
</Warning>

***

## Test vs live mode

Your API key controls which mode you operate in. Both modes use the same base URL (`https://api.orafi.app`), so there's no environment-specific endpoint to remember.

| Feature             | Test mode          | Live mode          |
| ------------------- | ------------------ | ------------------ |
| Real funds          | No (testnet)       | Yes (mainnet)      |
| Webhooks            | Delivered normally | Delivered normally |
| Onboarding required | No                 | Yes                |
| API key prefix      | `ora_test_`        | `ora_live_`        |

<Tip>
  Always develop and test your integration using test-mode keys first. Switch to live keys only after your integration is verified.
</Tip>

***

## Keeping keys secure

* **Never** expose API keys in client-side code, mobile apps, or public repositories.
* Store keys in environment variables or a secrets manager.
* Rotate keys immediately if you suspect they have been compromised.
* Use test keys for all development and CI/CD pipelines.
