# Authentication

All API requests must include a valid API key.

## Creating an API Key

1. Go to **Settings** > **API Keys** in your dashboard
2. Click **Generate New Key**
3. Copy the key immediately — it's only shown once
4. Store it securely (environment variable, secrets manager)

## Using Your Key

Include the key in the `Authorization` header of every request:

```bash
curl https://rentalot.ai/api/v1/properties \
  -H "Authorization: Bearer ra_abc123..."
```

## Key Format

Keys are prefixed with `ra_` followed by 32 random bytes (base64url-encoded). They are hashed with SHA-256 before storage — Rentalot cannot recover a lost key, so save it when it's generated.

## Failed Authentication

A missing, malformed, expired, or revoked key returns `401 Unauthorized` in [RFC 9457](https://www.rfc-editor.org/rfc/rfc9457) Problem Details format:

```json
{
  "type": "https://rentalot.ai/problems/unauthorized",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Missing or invalid API key"
}
```

## Revoking Keys

Revoke any key from **Settings** > **API Keys**. Revocation is immediate — any requests using that key will return `401 Unauthorized`.

## API Access by Plan

Your API key inherits the rate limits and permissions of your plan:

| Plan | Access | API Keys | Global RPM | Daily Requests |
|------|--------|----------|-----------|----------------|
| Free Trial | No API | 0 | — | — |
| Starter | Read-only | 2 | 30/min | 5,000/day |
| Pro | Full CRUD | 5 | 120/min | 50,000/day |
| Scale | Full + priority | 20 | 600/min | 500,000/day |

Write operations have additional per-resource daily and monthly limits. Upgrade your plan to increase limits.

## Security

- Never commit API keys to version control
- Use environment variables to store keys
- Rotate keys periodically
- Each key is scoped to your account — it can only access your properties and data