> ## Documentation Index
> Fetch the complete documentation index at: https://docs.khaime.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Khaime Partner API.

# Authentication

The Khaime Partner API uses API key authentication via the `X-API-Key` header.

## API Key Types

| Type    | Prefix        | Use                        |
| ------- | ------------- | -------------------------- |
| Sandbox | `pk_sandbox_` | Testing — no real charges  |
| Live    | `pk_live_`    | Production — real payments |

## Creating API Keys

1. Log in to [app.khaime.com](https://app.khaime.com)
2. Go to **Settings → API & Integrations**
3. Click **Create API Key**
4. Select environment (Sandbox or Live)
5. Copy the key — it's shown only once

## Using Your Key

Include the key in every request:

<CodeGroup>
  ```bash cURL theme={null}
  curl -H "X-API-Key: pk_sandbox_bff301298a..." \
       -H "Content-Type: application/json" \
       https://api.khaime.com/api/v1/partner/products
  ```

  ```javascript Node.js theme={null}
  const response = await fetch('https://api.khaime.com/api/v1/partner/products', {
    headers: {
      'X-API-Key': process.env.KHAIME_API_KEY,
      'Content-Type': 'application/json',
    },
  });
  ```

  ```python Python theme={null}
  import requests

  response = requests.get(
      'https://api.khaime.com/api/v1/partner/products',
      headers={'X-API-Key': os.environ['KHAIME_API_KEY']},
  )
  ```
</CodeGroup>

## Key Management

### Programmatic Key Management

| Method | Endpoint                                  | Description           |
| ------ | ----------------------------------------- | --------------------- |
| POST   | `/create-api-key`                         | Create new API key    |
| GET    | `/api-keys`                               | List all keys         |
| DELETE | `/api-keys/:id`                           | Revoke a key          |
| PUT    | `/api-keys/:id/toggle-status`             | Enable/disable key    |
| PUT    | `/api-keys/:id/webhook`                   | Set webhook URL       |
| POST   | `/api-keys/:id/regenerate-webhook-secret` | Rotate webhook secret |

<Warning>
  Key management endpoints require your user auth token (`x-id-key` header), not the API key itself.
  These are typically called from your dashboard, not from integration code.
</Warning>

## Security Best Practices

* Never expose API keys in client-side code or version control
* Use environment variables to store keys
* Use sandbox keys for development and testing
* Rotate keys periodically
* Revoke compromised keys immediately
