# API Keys

API keys provide a secure and flexible way to authenticate requests to the OLI API. They serve as an alternative to bearer tokens, allowing users to manage long-lived authentication credentials for various use cases. Here's an overview of API key functionality

This token can passed using the Authorization header to all endpoints

{% hint style="info" %}
This token can passed using the Authorization header to all endpoints
{% endhint %}

| Header Key    | Header Value       |
| ------------- | ------------------ |
| Authorization | `API-KEY <apiKey>` |

### **Features of API Keys**

1. **Generation**:
   * API keys can be generated by authenticated users via a [`POST` request.](https://devdocs.olisystems.com/authentication/api-keys/generate-a-key)
   * Keys can be customized with a name and an optional expiry date (in epoch milliseconds).
2. **Management**:
   * A user can have up to **5 active API keys** at a time.
   * The list of active and deleted API keys can be retrieved via the [`GET` endpoint.](https://devdocs.olisystems.com/authentication/api-keys/list-all-keys)
3. **Deletion**:
   * API keys can be deleted when no longer needed using the [`DELETE` endpoint.](https://devdocs.olisystems.com/authentication/api-keys/delete-a-key)
   * Deleted keys are immediately invalidated.

### **Security Best Practices**

* **Use expiration dates** to limit the lifespan of API keys.
* Regularly **review and delete unused keys** to minimize security risks.
* Store API keys securely; they are only visible at the time of creation.