> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nmcrate.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Create studio API keys in Studio Settings → API and authenticate requests with the x-api-key header.

Every Studio API request needs a **studio API key**. Keys are created in the store UI, never over the API itself.

## Creating a key

1. Open your studio's dashboard and go to **Settings → API**.
2. Click **New key**, give it a recognisable name (e.g. "Discord bot"), and pick a tier:
   * **Basic**, free. Reads your studio profile, products, and version history.
   * **Premium**, requires an active **Branding+** subscription. Everything in Basic, plus sales, revenue summaries, timeseries, and top products.
3. Copy the key immediately. It is shown **exactly once**, only a hash is stored on our side.

A key looks like:

```text theme={null}
nmk_studio_9f4c1e2ab37d85f60b1a4c9d2e7f30581a6b4c8d
```

Managing keys requires the **Manage settings** permission on the studio (owners always have it). A studio can have at most **10 active keys**.

## Sending the key

Use the `x-api-key` header (recommended):

```bash theme={null}
curl https://nmcrate.com/api/public/v1/studio/products \
  -H "x-api-key: nmk_studio_..."
```

Or as a bearer token:

```bash theme={null}
curl https://nmcrate.com/api/public/v1/studio/products \
  -H "Authorization: Bearer nmk_studio_..."
```

## Key tiers and the live subscription check

The tier is a property of the **key**, chosen at creation:

* A **basic** key never gets premium access, even while the studio is subscribed. This lets you hand a basic key to a third-party integration without exposing your sales data.
* A **premium** key works on premium endpoints only while the studio's Branding+ subscription is **currently active**. The subscription is verified live on every request; if it ends, premium endpoints respond with `403 SUBSCRIPTION_INACTIVE` until the plan is renewed. Free endpoints keep working with the same key throughout.

## Scope and isolation

* A studio key identifies **the studio**, not the member who created it. It only works on `…/public/v1/studio/*` endpoints and can only read its own studio's data.
* Studio keys are rejected everywhere else on the public API (`401 STUDIO_KEY_NOT_ALLOWED`), and personal keys (`nmk_live_…`) are rejected on studio endpoints (`401 STUDIO_KEY_REQUIRED`).
* Browser sessions are **not** accepted on studio endpoints.

## Revoking a key

Revoke a key any time from **Settings → API**. Revocation takes effect immediately: the next request with that key returns `401 REVOKED_API_KEY`. Revocation cannot be undone, create a new key instead.

<Warning>
  Treat keys like passwords. Don't commit them to git, don't ship them in client-side code, and revoke any key you suspect has leaked.
</Warning>
