> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rialto.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication and API Keys

> How Rialto API keys work, how they are scoped and rate limited, and how to keep them safe.

## Bearer authentication

Protected endpoints require an API key passed as a bearer token:

```http theme={null}
Authorization: Bearer rialto_live_<prefix>.<secret>
```

The public tokens endpoint does not require a key. Quote, gasless, and integrator
endpoints do.

## Obtaining a key

API keys are created through a wallet-signed onboarding flow. The wallet that
applies becomes the owner of the integrator profile and the fee-recipient wallet.
See [Integrator Onboarding](/developers/integrator-onboarding) for the full flow.
The raw key is shown only once at creation, so store it securely when it is
returned.

## Scopes

A key is issued with one or more scopes that determine which endpoints it can
call:

| Scope           | Grants                               |
| --------------- | ------------------------------------ |
| quote:read      | Request quotes.                      |
| swap:create     | Submit gasless swaps to the relayer. |
| swap:integrator | Apply an integrator fee to quotes.   |

A key without the required scope is rejected with 403.

## Rate limits and expiry

Keys are rate limited per minute, with separate limits for quoting and for swap
submission. The limits applied to a key are returned when it is created, for
example a quote limit and a lower swap limit. Exceeding a limit returns 429. Keys
may also be scoped to expire or be revoked, after which trading endpoints reject
them.

## Key safety

Keep API keys private. Do not expose them in public frontend code, mobile apps,
source repositories, logs, or analytics tools. Anyone holding a key can act within
its scopes. For integrator keys, fee payout and fee caps are bound to the key
server-side, so a leaked key can never redirect fees to another wallet or raise
the fee above the configured cap, but it should still be treated as a secret.
