# Authentication (/authentication)



All requests authenticate with a single bearer token.

```http
Authorization: Bearer $UNIFAPI_KEY
```

## API keys [#api-keys]

* Keys are workspace-scoped — every team member sees the same usage and billing.
* Rotate any key from the dashboard. Old keys keep working for 24 hours after rotation, then 401.
* Keys never expire on their own. Rotate them if you suspect a leak.

The gateway forwards your key verbatim as the upstream provider's bearer token, so the same key is what authorizes both UnifAPI and the underlying API.

<Callout type="warn">
  Never commit a live key. UnifAPI scans public GitHub for leaked keys and revokes them automatically — but you'll have downtime.
</Callout>

## Errors [#errors]

A `401` means the key is missing, malformed, or rejected by the upstream:

```json
{
  "error": {
    "type": "unauthorized",
    "message": "Upstream rejected the API token",
    "request_id": "tikhub-..."
  }
}
```

See [Errors](/errors) for the full vocabulary.

## OAuth 2.0 (roadmap) [#oauth-20-roadmap]

OAuth is on the roadmap. See [`/.well-known/oauth-protected-resource`](https://unifapi.com/.well-known/oauth-protected-resource) for the current state of the discovery endpoint.