> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ababilpay.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Bearer API key authentication and rate limiting for the Ababil API.

## API Keys

All merchant API calls require a Bearer API key in the `Authorization` header.

```bash theme={null}
Authorization: Bearer sk_test_xxxxxxxxxxxxxxxxxxxx
```

API keys are created from the **Ababil Dashboard → API Keys**.

| Prefix        | Environment | Base URL                          |
| ------------- | ----------- | --------------------------------- |
| `sk_test_...` | Testnet v1  | `https://testnetv1.ababilpay.xyz` |

<Warning>
  **Keep keys server-side.** Merchant API keys must never be exposed in browser or mobile client code. For browser-initiated flows, use the [Hosted Gateway](/api-reference/hosted-gateway) or issue short-lived tokens from your backend.
</Warning>

## Rate Limiting

The API enforces a limit of **60 requests per minute** per API key. Every response includes the following rate limit headers:

| Header                  | Description                                     |
| ----------------------- | ----------------------------------------------- |
| `X-RateLimit-Remaining` | Requests remaining in the current window        |
| `X-RateLimit-Reset`     | Unix timestamp (seconds) when the window resets |

When the limit is exceeded, the API returns HTTP `429` with error code `RATE_LIMITED`. Wait until `X-RateLimit-Reset` before retrying — do not retry immediately in a loop.
