# Authentication

The Cashramp GraphQL API is secured with **API keys**. Generate and manage these keys in the [Developer Dashboard](https://cashramp.co/commerce).

<table><thead><tr><th width="113.66668701171875">Key</th><th width="145.44439697265625">Prefix</th><th>Intended use</th><th>Keep it where?</th></tr></thead><tbody><tr><td><strong>Public key</strong></td><td><code>CSHRMP-PUBK_</code></td><td>Client-side calls that <em>cannot</em> modify account data (e.g., widget embeds).</td><td>Safe to expose in front-end code.</td></tr><tr><td><strong>Secret key</strong></td><td><code>CSHRMP-SECK_</code></td><td>Server-to-server requests; full account access.</td><td>Store securely (env vars, vault). <strong>Never commit or share.</strong></td></tr></tbody></table>

> Cashramp **does not** retain your secret key. Copy it once, keep it safe.

{% hint style="danger" %}
If a key is leaked, log in to the dashboard, **rotate the key immediately**. Rotation revokes the old key and issues a new one.
{% endhint %}

***

## Authenticating a Request

The API uses **Bearer auth**. Send your **secret key** in the `Authorization` header:

```
Authorization: Bearer CSHRMP-SECK_xxxxxxxxxxxxxxxxxxxxxx
```

### Example (Axios)

```javascript
import axios from "axios";

const cashramp = axios.create({
  baseURL: "https://api.useaccrue.com/cashramp/api/graphql",
  headers: {
    Authorization: `Bearer ${process.env.CSHRMP_SECRET_KEY}`,
  },
});
```

{% hint style="info" %}
All requests must be over **HTTPS**. Calls without valid authentication are rejected.
{% endhint %}