> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rentfax.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate with the RentFAX API

> Pass your API key on every request using the x-api-key or Authorization: Bearer header. Keys are generated and managed from Settings in your dashboard.

Every request to the RentFAX API must include a valid API key. The API uses key-based authentication — there are no session cookies or OAuth flows for server-to-server calls. You include your key in a request header, and the API validates it on each call.

## Obtaining an API key

You can generate an API key in two ways:

* **Dashboard:** Go to **Settings → API Keys** in your RentFAX account and click **Create Key**.
* **API:** Send a `POST` request to `/v1/keys` authenticated with an existing key (or your dashboard session token).

<Note>
  Your API key is shown only once, immediately after creation. Copy and store it securely before closing the dialog — it cannot be retrieved again.
</Note>

You can have up to **5 active keys** per account at any time. To create a new key once you reach the limit, revoke an existing one first.

## Passing your API key

You can authenticate requests using either of the following headers. Both are accepted by every endpoint.

### Option 1: `x-api-key` header

```
x-api-key: rfx_live_your_key_here
```

### Option 2: `Authorization: Bearer` header

```
Authorization: Bearer rfx_live_your_key_here
```

Both headers have identical behavior. Choose whichever fits your HTTP client or integration library best.

## Code examples

<CodeGroup>
  ```bash curl theme={null}
  curl https://api.rentfax.io/v1/renter/check?email=jane@example.com \
    -H "x-api-key: rfx_live_your_key_here"
  ```

  ```bash curl (Bearer) theme={null}
  curl https://api.rentfax.io/v1/renter/check?email=jane@example.com \
    -H "Authorization: Bearer rfx_live_your_key_here"
  ```

  ```javascript JavaScript (fetch) theme={null}
  const response = await fetch(
    'https://api.rentfax.io/v1/renter/check?email=jane@example.com',
    {
      headers: {
        'x-api-key': process.env.RENTFAX_API_KEY,
      },
    }
  );

  const data = await response.json();
  console.log(data);
  ```

  ```python Python theme={null}
  import os
  import requests

  response = requests.get(
      'https://api.rentfax.io/v1/renter/check',
      params={'email': 'jane@example.com'},
      headers={'x-api-key': os.environ['RENTFAX_API_KEY']},
  )

  data = response.json()
  print(data)
  ```
</CodeGroup>

## API key format

All RentFAX API keys begin with the prefix `rfx_live_` followed by a 32-character alphanumeric string. For example:

```
rfx_live_A3bCdEfGhJkLmNpQrStUvWxYz234567
```

The API rejects any key that does not start with `rfx_`. If you receive an `Invalid API key format` error, check that you are not passing a dashboard session token or a truncated key value.

## 401 Unauthorized errors

A `401` response means the request could not be authenticated. The response body describes the specific reason.

<Tabs>
  <Tab title="Missing key">
    **Cause:** No `x-api-key` or `Authorization` header was sent.

    ```json theme={null}
    {
      "ok": false,
      "error": "Missing API key.",
      "docs": "https://docs.rentfax.io/api"
    }
    ```

    **Fix:** Add the `x-api-key` header to your request.
  </Tab>

  <Tab title="Invalid format">
    **Cause:** The key value does not start with `rfx_`.

    ```json theme={null}
    {
      "ok": false,
      "error": "Invalid API key format. Keys begin with rfx_"
    }
    ```

    **Fix:** Verify you are passing the full key, not a preview or truncated value. The dashboard shows only the first 12 characters of existing keys — use the value saved at creation time.
  </Tab>

  <Tab title="Revoked or not found">
    **Cause:** The key exists in your account but has been revoked, or the key value does not match any active key.

    ```json theme={null}
    {
      "ok": false,
      "error": "API key not found or revoked."
    }
    ```

    **Fix:** Go to **Settings → API Keys** in the dashboard and confirm the key is active. Generate a new key if needed.
  </Tab>
</Tabs>

## Rate limits

The API enforces per-key rate limits measured in requests per minute:

| Plan       | Limit                   |
| ---------- | ----------------------- |
| Standard   | 100 requests / minute   |
| Enterprise | 1,000 requests / minute |

When you exceed the limit, the API returns a `429` status with a `Retry-After: 60` header. Wait for the indicated number of seconds before retrying.

```json theme={null}
{
  "ok": false,
  "error": "Rate limit exceeded. 100 requests/minute on standard plan."
}
```

## Security best practices

<Warning>
  Never hardcode your API key directly in source code or commit it to version control. A leaked key grants full API access under your account.

  * Store keys in environment variables (e.g., `RENTFAX_API_KEY`).
  * Use separate keys for development, staging, and production environments.
  * Revoke any key you suspect has been exposed and generate a replacement immediately.
  * Treat your API keys with the same care as passwords.
</Warning>

## Managing keys

To create, list, or revoke API keys:

* **Dashboard:** Go to **Settings → API Keys** — see [API keys](/billing/api-keys) for a step-by-step guide.
* **API:** Use the `/v1/keys` endpoints — see the [keys endpoint reference](/billing/api-keys).
