# Authentication

Card Issuing supports partner-controlled and customer-controlled authentication flows.

## Partner API key

Use `x-partner-api-key` for server-side partner registration and login routes:

- `POST /v1/auth/register/partner`
- `POST /v1/auth/login/partner`


Never expose the partner API key in browser or mobile clients.

## Partner identifier

Email and wallet registration/login routes use the partner identifier configured for your integration:

```http
x-partner-id: YOUR_PARTNER_ID
```

Use this header on email and wallet registration/login routes such as `POST /v1/auth/register/email`, `POST /v1/auth/register/wallet/challenge`, and `POST /v1/auth/login/email`.

Email registration passwords must be strong: at least 8 characters with lowercase, uppercase, number, and symbol characters.

## Customer bearer token

Customer-scoped routes use:

```http
Authorization: Bearer CUSTOMER_ACCESS_TOKEN
```

Use this token for KYC, accounts, cards, topups, and transactions.

## Refresh tokens and 2FA

Refresh expired access tokens with `POST /v1/auth/refresh` using the refresh token as the bearer token:

```http
Authorization: Bearer CUSTOMER_REFRESH_TOKEN
```

If a login flow returns a session requiring two-factor authentication, use the returned session token as the bearer token for:

- `POST /v1/auth/2fa/send`
- `POST /v1/auth/2fa/verify`