Authentication

Security

Learn how to securely authenticate with the TokenRouter API using API keys and best practices.

API Key Authentication

TokenRouter uses API key authentication. All requests must include your API key in the Authorization header using the Bearer token format.

Authentication Header
Include this header in all API requests
Authorization: Bearer tr_your_api_key_here

API Key Format

TokenRouter API keys follow a specific format for easy identification and security.

Production Keys
For live applications
tr_live_1234567890abcdef...

Production keys start with tr_live_ and are used for real applications.

Test Keys
For development and testing
tr_test_1234567890abcdef...

Test keys start with tr_test_ and are used for development.

Security Best Practices

Critical Security Guidelines
  • Never expose API keys in client-side code, public repositories, or logs
  • Store API keys as environment variables or in secure key management systems
  • Rotate API keys regularly and immediately if compromised
✅ Do This
  • Store keys in environment variables
  • Use different keys for dev/staging/prod
  • Implement key rotation policies
  • Monitor API key usage
  • Use HTTPS for all requests
  • Implement rate limiting
❌ Don't Do This
  • Hard-code keys in source code
  • Commit keys to version control
  • Share keys via email or chat
  • Use production keys in development
  • Log API keys in application logs
  • Store keys in client-side storage

Environment Variables

The recommended way to store and access your API keys is through environment variables.

Node.js Environment Variables
Using process.env to access environment variables

.env file:

TOKENROUTER_API_KEY=tr_live_your_key_here

JavaScript code:

const apiKey = process.env.TOKENROUTER_API_KEY;

const response = await fetch('https://api.tokenrouter.com/route', {
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json',
  },
  // ... rest of request
});

Authentication Errors

Common authentication errors and how to resolve them.

401 Unauthorized
Invalid or missing API key
{
  "error": {
    "type": "authentication_error",
    "message": "Invalid API key provided",
    "code": "invalid_api_key"
  }
}

Solution: Check that your API key is correct and properly formatted in the Authorization header.

403 Forbidden
API key lacks required permissions
{
  "error": {
    "type": "permission_error",
    "message": "API key does not have permission for this resource",
    "code": "insufficient_permissions"
  }
}

Solution: Ensure your API key has the necessary permissions or contact support.