> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hyperwisor.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys, the required headers, and keeping your secret key safe.

The Manufacturer API uses two keys, both issued from the manufacturer dashboard:

| Key            | Prefix | Role                                 |
| -------------- | ------ | ------------------------------------ |
| Public API key | `mk_`  | Identifies your manufacturer account |
| Secret key     | `msk_` | Authorizes privileged requests       |

## Required headers

Send both on every request:

```
x-api-key: mk_...
x-secret-key: msk_...
```

Missing either returns `401`:

```json theme={null}
{
  "error": "Missing API credentials",
  "message": "Both x-api-key and x-secret-key headers are required."
}
```

## Keep the secret key server-side

<Warning>
  The `msk_` secret key must never ship in a client app, mobile binary, or browser
  bundle. Anyone who extracts it gains privileged access to your account.
</Warning>

Keep the secret key on a server you control (an edge function / worker) and have
your client call that server, not the API directly. The client holds only the
public key; your server attaches the secret. The app-starter's `docs/SECURITY.md`
documents this setup.

## Rate limits

Each API key has a per-minute rate limit. Exceeding it returns `429`. Back off
and retry.

<Card title="Start calling endpoints" icon="cube" href="/api/products">
  Products: list, create, update, delete.
</Card>