> ## Documentation Index
> Fetch the complete documentation index at: https://api.docs.rocketfi.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys for SDK signing, account-scoped access, and how state-changing REST calls work.

## API keys

RocketFi issues **API keys** from the product UI so your automation can act on behalf of an account **together with the official SDKs**. Keys are **not** sent as HTTP `Authorization`, `X-Api-Key`, or similar **auth headers** for routine REST or WebSocket traffic.

Create and rotate keys here:

**[beta.rocketfi.io/api-management](https://beta.rocketfi.io/api-management)**

Treat each key like a password:

* Do **not** embed keys in front-end code or mobile apps that users can extract.
* Prefer **environment variables** or a secrets manager on servers where the **Rust** or **Python** SDK runs.
* **Rotate** keys if they leak or when people leave the team.

### How keys are used

Use the key **inside your application** with **[rocket-sdk-rust](https://github.com/rocketfoundation/rocket-sdk-rust)** or **[rocket-sdk-python](https://github.com/rocketfoundation/rocket-sdk-python)** so the SDK can **sign transactions** (orders, transfers, vault actions, and other chain-backed operations) correctly. The signed payload is what the API validates—not a bare secret on the wire as a header.

See **[SDKs and examples](/guides/sdk)** for setup and versioning.

## REST requests

* **Public reads** (instruments, candles, fees, and similar) usually need **no key** in the request—see **[Public REST-API](/guides/public-rest-api)**.
* **Account-scoped reads** pass the **account address** (and other parameters) in the path or body as defined in **[OpenAPI](https://beta.rocket-cluster-1.com/docs/openapi.json)**—the contract is the source of truth for each route.
* **Writes** (trading, vault, etc.) are submitted as **signed transactions** built with the SDK; follow the operation’s request schema and examples in Swagger or this site’s REST pages.

If something is rejected, you will typically see **401**, **403**, or **422** with a concrete error—see **[Error responses](/guides/errors)**.

## WebSocket connections

The stream multiplexes subscription types over **`/ws`**; see **[Public WebSocket streams](/guides/ws-public)** and **[Private WebSocket streams](/guides/ws-private)**.

**Private** subscriptions carry **account** (and optional **instrument**) fields in the **subscribe JSON** as defined in **[AsyncAPI](/websocket-stream)**—not an API-key header on the WebSocket upgrade.

## User-Agent and tracing

Some gateways expect a non-empty **`User-Agent`**. Set a descriptive value (product name + version + contact) to simplify support and abuse tracing.