> ## Documentation Index
> Fetch the complete documentation index at: https://docs.shuriken.trade/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate with the Shuriken API using Bearer tokens.

Every Shuriken API request requires a Bearer token in the `Authorization` header. Your API key controls what the caller can access  - from read-only token lookups to full trade execution.

## Getting your API key

Create an Agent Key from the Shuriken Terminal. Each key comes with configurable permissions and spending limits enforced server-side.

<Steps>
  <Step title="Open Agent Keys">
    Click your **profile icon** in the top-right corner of the Terminal, then select **Agent Keys**.
  </Step>

  <Step title="Create a new key">
    Click **+ New Agent** and choose a template or create a custom key with the exact permissions you need.
  </Step>

  <Step title="Copy your key">
    Copy the key immediately  - you won't be able to see it again.
  </Step>
</Steps>

<Tip>
  See the full [Create an Agent Key](/agent-kit/create-agent-key) guide for templates, custom permissions, and trading limits.
</Tip>

## Using your key

Include the key as a Bearer token in the `Authorization` header on every request:

```bash theme={null}
curl -X GET "https://api.shuriken.trade/api/v2/account/me" \
  -H "Authorization: Bearer YOUR_API_KEY"
```

```python Python theme={null}
import requests

headers = {"Authorization": "Bearer YOUR_API_KEY"}
response = requests.get(
    "https://api.shuriken.trade/api/v2/account/me",
    headers=headers,
)
```

```javascript JavaScript theme={null}
const response = await fetch(
  "https://api.shuriken.trade/api/v2/account/me",
  { headers: { Authorization: "Bearer YOUR_API_KEY" } }
);
```

## Authentication errors

If your key is missing, invalid, or expired, the API returns a `401`:

```json theme={null}
{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or expired API key"
  },
  "requestId": "req_abc123"
}
```

Some endpoints require specific permissions. If your key lacks the required scope, you'll get a `403`.

## Security best practices

* Store keys in environment variables, never in source code
* Rotate keys periodically from the [Agent Keys dashboard](https://app.shuriken.trade/agents)
* Use the minimum permissions needed for your use case
* Monitor key activity and usage via `GET /api/v2/account/usage`

<Warning>
  API keys grant access to your Shuriken account. Never share them publicly or commit them to version control.
</Warning>
