> ## Documentation Index
> Fetch the complete documentation index at: https://docs.toughtongueai.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API tokens and security best practices

ToughTongue AI uses Bearer tokens for API authentication.

## Get Your Token

1. Go to [Developer Portal](https://app.toughtongueai.com/developer?tab=api-keys)
2. Click **Create API Key**
3. Copy immediately—won't be shown again

## Use Your Token

```bash theme={null}
curl https://api.toughtongueai.com/api/public/scenarios \
  -H "Authorization: Bearer YOUR_API_TOKEN"
```

## Test Your Token

```bash theme={null}
curl -X POST https://api.toughtongueai.com/api/public/test \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{"message": "test"}'
```

***

## Security Rules

### ❌ Never Do This

```javascript theme={null}
// Client-side — EXPOSED TO USERS
const API_TOKEN = "sk_live_abc123";
fetch("https://api.toughtongueai.com/...", {
  headers: { Authorization: `Bearer ${API_TOKEN}` },
});
```

### ✅ Do This Instead

```javascript theme={null}
// Frontend: Call your backend
fetch("/api/analyze", {
  method: "POST",
  body: JSON.stringify({ session_id }),
});

// Backend: Use token securely
app.post("/api/analyze", async (req, res) => {
  const response = await fetch("https://api.toughtongueai.com/...", {
    headers: { Authorization: `Bearer ${process.env.TTAI_TOKEN}` },
  });
  res.json(await response.json());
});
```

***

## Environment Variables

```bash theme={null}
# .env
TTAI_TOKEN=your_token_here
```

```javascript theme={null}
const apiToken = process.env.TTAI_TOKEN;
```

Add to `.gitignore`:

```
.env
.env.local
```

***

## Organization Context

Scope API calls to an organization:

```javascript theme={null}
fetch("https://api.toughtongueai.com/api/public/scenarios", {
  headers: {
    Authorization: "Bearer YOUR_TOKEN",
    "X-Organization-ID": "org_123",
  },
});
```

***

## Checklist

* [ ] Store tokens in environment variables
* [ ] Proxy API calls through backend
* [ ] Use HTTPS for all requests
* [ ] Rotate tokens periodically
* [ ] Delete unused tokens
* [ ] Monitor API usage