# Authentication

This section explains how to authenticate your requests to the xMoney Crypto API using API keys.

## API keys

To generate the API key for the authentication of requests, head to the Merchant Dashboard
([sandbox](https://merchants.sandbox.crypto.xmoney.com) or [production](https://merchants.crypto.xmoney.com)) and in the
Organizations tab view and generate your keys.
The generated key will have a `u_live` or `u_test` prefix in order to be distinguished between
our sandbox and production environments, respectively.
You will also see the Webhooks secret which you will need to [verify the events signature](#tag/Webhooks),
save it for later.

Here's an example of how to include your API key in a curl request:


```bash
curl -X GET \
 https://merchants.api.crypto.xmoney.com/api/stores/orders/ \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

Your API keys are secret and should not be shared with anyone. If your API key is compromised, you should regenerate it immediately.

## Error response

If your request is not authenticated, you will receive a `401 Unauthorized` response.


```json
{
  "code": 401,
  "message": "invalid_api_key"
}
```

Here are some possible reasons why you might receive a `401 Unauthorized` response:

* You have not included your `API Key` in the `Authorization` header.
* You have included an invalid `API Key` in the `Authorization` header.


If you are receiving a `401 Unauthorized` response and you are sure that you are including a valid `API Key` in the `Authorization` header, please contact xMoney support for assistance.