> ## Documentation Index
> Fetch the complete documentation index at: https://docs.geekhub.mx/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to generate, use, and rotate your API keys

Geek Hub uses **API keys with the `ghub_sk_` prefix** sent in the `Authorization: Bearer` header.

## Key format

| Type                    | Prefix          | Use                         |
| ----------------------- | --------------- | --------------------------- |
| Production              | `ghub_sk_live_` | Real calls, consume balance |
| Sandbox *(coming soon)* | `ghub_sk_test_` | Testing without balance     |

Each key is **45 characters** total. The `ghub_sk_live_` prefix (13 chars) + 32 random chars.

## Generate an API key

1. Go to the [dashboard](https://app.geekhub.mx/dashboard/keys)
2. Click **New API key**
3. Give it a descriptive name (`prod-web`, `ci-bot`, `staging`)
4. We show the key **only once** — save it before closing

<Warning>
  If you lose the key, we cannot recover it. You have to revoke the current one and generate a new one.
</Warning>

## Use your API key

Pass it in the `Authorization` header:

```bash theme={null}
curl https://api.geekhub.mx/v1/models \
  -H "Authorization: Bearer ghub_sk_live_xxxxx"
```

Or with SDKs:

<CodeGroup>
  ```python Python theme={null}
  from openai import OpenAI

  client = OpenAI(
      base_url="https://api.geekhub.mx/v1",
      api_key="ghub_sk_live_xxxxx",  # ideally from env var
  )
  ```

  ```javascript Node.js theme={null}
  import OpenAI from "openai";

  const client = new OpenAI({
    baseURL: "https://api.geekhub.mx/v1",
    apiKey: process.env.GEEKHUB_API_KEY,
  });
  ```
</CodeGroup>

## Best practices

<AccordionGroup>
  <Accordion title="Don't hardcode keys in code" icon="lock">
    Use environment variables (`process.env.GEEKHUB_API_KEY`) or secrets services (AWS Secrets Manager, Vault, etc).
  </Accordion>

  <Accordion title="One key per environment / app" icon="layer-group">
    Create separate keys for production, staging, CI, etc. If one is compromised, you only revoke that one.
  </Accordion>

  <Accordion title="Revoke unused keys" icon="trash">
    In the dashboard, unused keys appear marked. Revoke them to reduce attack surface.
  </Accordion>

  <Accordion title="Rotate periodically" icon="rotate">
    Every 90 days: generate new, deploy, revoke the old one.
  </Accordion>
</AccordionGroup>

## Common authentication errors

| HTTP code | Message                | Cause                                      |
| --------- | ---------------------- | ------------------------------------------ |
| `401`     | `missing_api_key`      | You didn't send the `Authorization` header |
| `401`     | `invalid_api_key`      | Key doesn't exist or is revoked            |
| `402`     | `insufficient_balance` | Your balance is ≤ \$0 MXN, top up          |

See [Errors](/en/concepts/errors) for the full catalog.