> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hashrails.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate your API requests.

All API requests must be authenticated using a **Bearer token**. To obtain a token, exchange the `client_id` and `client_secret` issued to your account.

You can find your API credentials in the [API Management](https://dashboard.railsfromthecrypt.com/api-management) section of your dashboard.

<Frame>
  <img src="https://mintcdn.com/hashrail/IK0gbdS66HVNC4fy/images/api-management.png?fit=max&auto=format&n=IK0gbdS66HVNC4fy&q=85&s=5171bbd3b76b0869054f7a54de222229" alt="API Management dashboard showing your API keys" data-path="images/api-management.png" />
</Frame>

Once you have your credentials, follow the steps below to authenticate your requests.

<Steps>
  <Step title="Request a token">
    Send a `POST` request to `/auth/token/issue` with your credentials to receive a JWT access token. See the full [Issue Token](/api-reference/auth/issue-token) API reference for details.

    **Request body**

    * `client_id` (string, required): your client UUID
    * `client_secret` (string, required): your API secret

    **Example request**

    ```bash theme={null}
    curl -X POST "https://api.railsfromthecrypt.com/v1/auth/token/issue" \
      -H "Content-Type: application/json" \
      -d '{
        "client_id": "<YOUR_CLIENT_ID>",
        "client_secret": "<YOUR_CLIENT_SECRET>"
      }'
    ```

    **Response (200)**

    ```json theme={null}
    {
      "success": true,
      "message": "API token issued successfully",
      "data": {
        "access_token": "<YOUR_ACCESS_TOKEN>",
        "expires_in": 3600,
        "token_type": "Bearer"
      }
    }
    ```

    **Errors**

    * `401 INVALID_CREDENTIALS` — Invalid `client_id` or `client_secret`
    * `429 RATE_LIMIT_EXCEEDED` — Too many requests; rate limit exceeded
  </Step>

  <Step title="Use the token">
    Send the token in the `Authorization` header for all authenticated requests:

    ```
    Authorization: Bearer <YOUR_ACCESS_TOKEN>
    ```

    **Example authenticated request**

    ```bash theme={null}
    curl -X GET "https://api.railsfromthecrypt.com/v1/transactions" \
      -H "Authorization: Bearer <YOUR_ACCESS_TOKEN>" \
      -H "Content-Type: application/json"
    ```

    **Best practices**

    * Cache tokens and reuse them until they expire
    * Refresh the token before `expires_in` elapses
    * Never expose `client_secret` in client-side code, logs, or public repositories
    * Retry token issuance with exponential backoff on `429`
  </Step>
</Steps>
