# Authentication

Foxora supports two ways to authenticate gateway requests: a Supabase JWT (used by the dashboard and desktop app) and a long-lived system API key (used by your own backends).

## Pick the right token

- Supabase JWT — obtained from sign-in. Short-lived (~1 hour). Use this for browser and desktop clients that already have a user session.
- System API key — created in the dashboard, prefixed with foxora_sk_. Long-lived. Use this for backend services and CLIs.

> Never put a system key in a browserSystem keys grant full access to your account’s usage and spend. Keep them server-side only. If a key leaks, rotate it immediately from the dashboard.

## Sending the token

Both token types go in the same header:

```
Authorization: Bearer YOUR_TOKEN_HERE
```

## Creating a system key

- Open Dashboard → Settings.
- Scroll to API keys.
- Click + New key, give it a name, and copy the value once — it isn’t shown again.
- Store it in your secret manager or .env.

```
FOXORA_API_KEY=foxora_sk_live_abc123...
```

## Rotating & revoking

From the same settings page you can rotate (issue a new value) or revoke (delete) any key. Revoked keys stop working within seconds.

## Verifying a token

To confirm a token is healthy, hit GET /v1/me. A 200 response means the token is valid and tells you which plan you’re on. See /v1/me.