> ## Documentation Index
> Fetch the complete documentation index at: https://docs.55-tech.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ABP Authentication - API Key Setup

> Learn how to authenticate ABP API requests using the x-api-key header. API key resolution, rate limiting, and WebSocket authentication.

All ABP endpoints require authentication via the `x-api-key` header, except the unauthenticated infrastructure endpoints (`/health`, `/ready`, `/status`, `/metrics`).

## How to authenticate

Pass your API key in the `x-api-key` request header:

```bash theme={null}
curl -H "x-api-key: your-api-key" \
  https://v2.55-tech.com/accounts
```

## API key metadata

Each API key resolves to a client and its access rules:

| Field        | Description                                                                |
| ------------ | -------------------------------------------------------------------------- |
| `clientName` | Your client identifier — all accounts, orders, and bets are filtered by it |
| `bookmakers` | Allowed bookmaker slugs (empty = all bookmakers)                           |
| `rps`        | Requests per second allowed for this client (default: 100)                 |
| `active`     | Whether this key is active                                                 |

Your API key determines which accounts, orders, and bets you can access. All data is filtered by your `clientName`.

## WebSocket authentication

For WebSocket connections, authenticate via the login message after connecting (the `/ws` endpoint itself does not require the `x-api-key` header):

```json theme={null}
{
  "type": "login",
  "apiKey": "your-api-key",
  "channels": []
}
```

You must send the login message within **30 seconds** of connecting, or the connection is closed. See [WebSocket](/abp-api/websocket) for details.

## Rate limiting

Requests are rate-limited **per client** — by default 100 requests per second, with a maximum of 5 concurrent WebSocket connections per API key. Full detail, headers, and backoff guidance live in [Rate limits](/abp-api/reliability#rate-limits).

## Error responses

<Note>
  The auth middleware emits errors under an `error` key, while application-level errors (validation, not-found, etc.) use the FastAPI-standard `detail` key. Handle both shapes.
</Note>

| Situation                                                      | Status | Body                                                                  |
| -------------------------------------------------------------- | ------ | --------------------------------------------------------------------- |
| Header missing                                                 | `403`  | `{"detail": "Missing API key header: x-api-key"}`                     |
| Key invalid / inactive / expired                               | `401`  | `{"error": "Invalid or inactive API key"}`                            |
| Key valid but not allowed for the endpoint / sport / bookmaker | `403`  | `{"error": "Access denied to endpoint"}`                              |
| Rate limit exceeded                                            | `429`  | `{"detail": "Rate limit exceeded", "limit": "100", "retry_after": 1}` |

## Next steps

<Columns cols={2}>
  <Card title="Quickstart" icon="rocket" href="/abp-api/quickstart">
    Place your first bet in 5 steps.
  </Card>

  <Card title="Limits & Reliability" icon="gauge-high" href="/abp-api/reliability">
    Per-client rate limits, circuit breakers, and emergency mode.
  </Card>
</Columns>
