> For the complete documentation index, see [llms.txt](https://docs.useshadowpay.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.useshadowpay.com/api-reference/authentication.md).

# Authentication

The ShadowPay REST API lets developers manage accounts, initiate transfers, and configure agent wallets programmatically. All API access requires an API key tied to a ShadowPay account.

***

## Generating an API key

API keys are generated from the **Developer** section of your ShadowPay dashboard:

1. Log in to your ShadowPay account
2. Navigate to **Dashboard → Developer → API Keys**
3. Click **Generate New Key**
4. Assign a name (for example, `production`, `dev`, `internal-tool`)
5. Copy and store the key securely. It's shown once.

Each API key is scoped to the account that created it. Transfers initiated via the API carry the exact same confidentiality guarantees as transfers initiated in the app.

***

## Using your API key

Include the key in the `Authorization` header on every request:

```
Authorization: Bearer <your_api_key>
```

Example:

```bash
curl -X POST https://api.shadowpay.xyz/v1/transfers \
  -H "Authorization: Bearer sp_live_xxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "to": "@vendor",
    "amount": "125.00",
    "asset": "USDC",
    "confidential": true,
    "memo": "Invoice #4471"
  }'
```

***

## API key types

| Prefix     | Environment | Use case                                        |
| ---------- | ----------- | ----------------------------------------------- |
| `sp_live_` | Mainnet     | Production: triggers real on-chain transactions |
| `sp_test_` | Devnet      | Development: no real USDC required              |

Use test keys during integration. Devnet requests don't interact with Solana mainnet and don't move real USDC.

***

## Key management

From the dashboard you can:

* **List** all API keys and their last-used timestamps
* **Revoke** individual keys immediately
* **View per-key usage:** request count and total USDC transferred

***

## Security

* Store API keys in environment variables or a secrets manager. Never commit them to source control.
* Rotate keys immediately if you suspect a key has been exposed.
* Use separate keys per environment (production, staging, development).
* Revoke unused keys from the dashboard.

A ShadowPay API key can move funds from your account. Treat it with the same care as a private key.

***

## What API keys can't do

An API key can never decrypt transaction amounts on ShadowPay's servers on your behalf. If your integration needs to read a confidential amount, it must do so client-side using your account's decryption key, the same way the ShadowPay app itself does.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.useshadowpay.com/api-reference/authentication.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
