> ## Documentation Index
> Fetch the complete documentation index at: https://docs.openxswitch.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> OpenXSwitch uses API key-based authentication to secure access to platform resources and infrastructure operations.

### API Key Usage

All API requests must include your API key in the `Authorization` header as a Bearer token.

#### Required Header

```curl highlight={1} theme={null}
Authorization: Bearer YOUR_API_KEY
Content-Type: application/json
```

Replace `YOUR_API_KEY` with the key generated from your OpenXSwitch Console.

### API Key Setup

1. Navigate to **Accounts → API Management** in the OpenXSwitch Console
2. Click **Create API Key**
3. Select required **permissions** (e.g. wallet, withdrawal, trading, read access)
4. (Optional but recommended) Enable **IP Restrictions**
   * Add up to 5 trusted IP addresses
   * Requests from other IPs will be rejected
5. Click **Generate API Key**

> ⚠️ API Management is restricted to **Owner** and **Admin** roles only.

### Smart Account Authentication

For smart account operations (e.g. wallet creation and transfers), some endpoints require an additional header for execution context. [Learn more](/get-started/authentication)

```javascript theme={null}
x-wallet-secret: YOUR_WALLET_SECRET
```

### Example Requests

1. **Create Sub-wallet**\
   Create sub-wallet using an authenticated API request.

Request

<CodeGroup>
  ```shellscript cURL highlight={2} theme={null}
  curl -X POST "https://api.openxswitch.com/v1/sub-wallet/create" \  
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "admin@openxswitch.com",
    "name": "openxswitch"
  }'
  ```

  ```typescript JavaScript highlight={5} theme={null}
  const axios = require('axios');

  const url = "https://api.openxswitch.com/v1/sub-wallet/create";
  const headers = {
      "Authorization": "Bearer YOUR_API_KEY",
      "Content-Type": "application/json"
  };
  const data = {
      "email": "admin@openxswitch.com",
      "name": "openxswitch"
  };

  axios.post(url, data, { headers })
      .then(response => console.log(response.data))
      .catch(error => console.error(error));
  ```

  ```python Python highlight={5} theme={null}
  import requests

  url = "https://api.openxswitch.com/v1/sub-wallet/create"
  headers = {
      "Authorization": "Bearer YOUR_API_KEY",
      "Content-Type": "application/json"
  }
  data = {
      "email": "admin@openxswitch.com",
      "name": "openxswitch"
  }

  response = requests.post(url, json=data, headers=headers)
  print(response.json())
  ```

  ```php PHP highlight={6} theme={null}
  <?php

  $url = "https://api.openxswitch.com/v1/sub-wallet/create";

  $headers = [
      "Authorization: Bearer YOUR_API_KEY",
      "Content-Type: application/json"
  ];

  $data = json_encode([
      "email" => "admin@openxswitch.com",
      "name" => "openxswitch"
  ]);

  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
  curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

  $response = curl_exec($ch);
  curl_close($ch);

  echo $response;
  ?>
  ```

  ```java JAVA highlight={14} theme={null}
  import okhttp3.*;

  public class Main {
      public static void main(String[] args) throws Exception {
          OkHttpClient client = new OkHttpClient();

          MediaType mediaType = MediaType.parse("application/json");
          RequestBody body = RequestBody.create(mediaType, 
              "{ \"email\": \"admin@openxswitch.com\", \"name\": \"openxswitch\" }");

          Request request = new Request.Builder()
              .url("https://api.openxswitch.com/v1/sub-wallet/create")
              .post(body)
              .addHeader("Authorization", "Bearer YOUR_API_KEY")
              .addHeader("Content-Type", "application/json")
              .build();

          Response response = client.newCall(request).execute();
          System.out.println(response.body().string());
      }
  }
  ```
</CodeGroup>

2. **Generate Wallet Address**\
   Generate or fetch wallet address using an authenticated API request.

```curl highlight={2} theme={null}
curl -X POST "https://api.openxswitch.com/v1/sub-wallet/address" \  
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
  "subWalletId": "3224333.....",
  "coin": "ETH",
  "chain": "ETH"
}'
```

> 📘 For further details on API permission, refer to the [API permissions](api-permissions)  documentation

### Security Best Practices

* **Keep Your API Key Secret:** Never share your API key in public code or repositories.
* **Use IP Restrictions:** Limit API access to specific trusted IPs.
* **Grant Minimum Necessary Permissions:** Select only the required access rights for your API key (e.g., withdrawal, trade, wallet management) to minimize security risks.
* **Rotate API Keys Regularly:** To reduce the risk of compromised credentials.
* **Monitor API Usage:** Regularly review API logs and activity to detect any unauthorized access or unusual behavior.
