> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rails.wayex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate with a tenant-bound API key and grant direct-route or Treasury access.

The Wayex API authenticates with an **API key**. Send it on every request in either header:

```bash theme={null}
# Preferred
Authorization: Bearer YOUR_API_KEY

# Or
X-Api-Key: YOUR_API_KEY
```

## Key types

| Prefix | Type                | Use                                                                                                              |
| ------ | ------------------- | ---------------------------------------------------------------------------------------------------------------- |
| `sk_…` | **Secret key**      | Server-side only. Required for value-affecting writes. Never expose it in a browser, mobile app, or public repo. |
| `pk_…` | **Publishable key** | Read-only. Safe for client contexts where you only fetch data, such as rates.                                    |

<Warning>
  Treat your secret key like a password. If a key is exposed, rotate it immediately from the console
  (**Developers → API keys**). Wayex will never ask you for your secret key.
</Warning>

## Tenant binding

Every API key belongs to one tenant account. Its requests can read and change only that account's
customers, wallet, configuration, webhooks, and reporting.

Create and store credentials separately for every tenant account. Choose the credential before
making a request; the key determines the account for every Treasury call. Never reuse an
idempotency key across separate credential stores.

## Roles

Each key is bound to a **role** that scopes what it can do. Reads are available to your role's scope.
**Value-affecting** writes — creating a customer, a payment route, a webhook subscription, or an
API key, or submitting a Treasury wallet operation — require a secret key with write access.

## Treasury scopes

| Scope            | Access                                                                                                                                                                                             |
| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `treasury:read`  | Treasury overview, effective account settings, balances, funding, beneficiaries, payouts, withdrawals, conversions, and transaction history.                                                       |
| `treasury:write` | Funding-instrument and beneficiary creation, Sumsub evidence handoff, AUD payouts, stablecoin withdrawals, conversion quotes and conversion acceptance. Write access implies Treasury read access. |

Keys created without an explicit scope list retain their role-implied access for backwards
compatibility. When you provide a scope list, include the Treasury scopes your integration needs.

<Note>
  Direct-route transfers are recorded automatically when a customer funds a payment route. Treasury
  is different: you create payouts, withdrawals and quoted wallet conversions against a prefunded
  wallet owned only by the authenticated tenant account. See the [Treasury
  overview](/treasury/overview) and [API reference](/api-reference/overview).
</Note>

A request made with an out-of-scope key returns `403`.

## Example request

```bash theme={null}
curl "https://api.sandbox.wayex.com/v1/rates?source=aud&destination=usdc" \
  -H "Authorization: Bearer YOUR_API_KEY"
```

An unauthenticated or invalid request returns `401`. See [Errors](/errors) for the full error shape.
