> ## Documentation Index
> Fetch the complete documentation index at: https://docs-attestly.code4source.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Pass your API key as a Bearer token. That's it.

```http theme={null}
POST /v1/evaluate HTTP/1.1
Host: api-attestly.code4source.com
Authorization: Bearer atk_live_4eC39HqLyjWDarjtT1zdp7dcrYx2bfBNxxxxxxxx
Content-Type: application/json
```

No OAuth, no token endpoint, no refresh.

## Per-request gates

Every call is checked against three things, in order:

1. **Authentication** — bearer must be a valid `atk_*` key issued to
   your Organization.
2. **Subscription** — your contract must be active. An expired or
   suspended subscription returns `402 SUBSCRIPTION_INACTIVE`.
3. **Quota** — you must be within your contracted monthly cap. Over:
   `429 QUOTA_EXCEEDED`.

See [Errors](/reference/errors) and [Quotas](/reference/quotas) for the
response shapes and headers.

## Security guidance

* Store keys in a secret manager. Never commit, never log, never put in
  URL query strings.
* One key per environment (`production`, `staging`, `ci`). If one key
  leaks, the blast radius is bounded.
* Rotate on personnel changes and at least annually. Rotation is
  zero-downtime: ask us to mint a new key, deploy it, then ask us to
  revoke the old one.
* Suspected leak? Email `security@attestly.io`. Revocation propagates
  in milliseconds.
