> ## Documentation Index
> Fetch the complete documentation index at: https://docs.postsider.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate Volta Agent Bridge Requests with API Keys

> Volta API requests use API keys in the Authorization header. Learn how to create keys, use them in requests, and handle auth errors.

Every request to the Volta Agent Bridge — whether through the MCP server, the REST API, or the SDK — is authenticated with an API key. API keys are tied to your organization and grant full access to the Agent Bridge surface. There are no scoped or read-only keys; if you need to limit access, create a dedicated key per agent and revoke it when it's no longer needed.

## Getting your API key

<Steps>
  <Step title="Open API Keys settings">
    In the Volta dashboard, navigate to **Settings → API Keys**.
  </Step>

  <Step title="Create a new key">
    Click **Create New Key** and give it a descriptive name. Use names that identify the consumer, such as `Claude Code agent`, `CI pipeline`, or `content-bot-prod`. This makes it easy to audit usage and revoke individual keys without disrupting other integrations.
  </Step>

  <Step title="Copy your key immediately">
    The full key value is shown exactly once, immediately after creation. Copy it to a secure location now — Volta does not display it again. If you lose a key, delete it and create a new one.
  </Step>
</Steps>

## Using your API key

<Tabs>
  <Tab title="REST API">
    Pass your API key as the value of the `Authorization` header on every request. Do not prefix it with `Bearer`.

    ```bash theme={null}
    curl -H 'Authorization: your-api-key' \
      https://your-instance.com/public/v1/integrations
    ```

    All `/public/v1` endpoints accept this header.
  </Tab>

  <Tab title="SDK">
    Pass your API key as the first argument to the `Postsider` constructor. The second argument is your instance base URL.

    ```typescript theme={null}
    import Postsider from '@postsider/node';

    const client = new Postsider(
      'your-api-key',
      'https://your-instance.com'
    );

    // All SDK methods automatically include the key
    const channels = await client.integrations();
    ```

    Every method on the client sends the key in the `Authorization` header automatically — you never need to set it again after construction.
  </Tab>

  <Tab title="MCP — URL key (simplest)">
    Embed your API key directly in the MCP server URL. This is the easiest method and works with any MCP-compatible client.

    ```
    https://your-instance.com/mcp/your-api-key
    ```

    Use this URL as the `url` value in your MCP client config (see [MCP Overview](/agent/mcp/overview) for full setup steps).
  </Tab>

  <Tab title="MCP — Bearer token">
    If your MCP client supports custom headers, you can keep the key out of the URL by sending it as a Bearer token to the base `/mcp` endpoint.

    ```
    Authorization: Bearer your-api-key
    Endpoint: https://your-instance.com/mcp
    ```

    This is preferred in environments where URLs are logged, since the key never appears in access logs.
  </Tab>
</Tabs>

## Key expiration and rotation

API keys **never expire** automatically. They remain valid until you delete them from **Settings → API Keys**. There is no automatic rotation — if you suspect a key has been compromised, delete it immediately and issue a new one.

## Rate limiting

The Public API enforces a limit of **60 requests per minute per organization**. All responses include rate-limit metadata in standard headers:

| Header                  | Description                              |
| ----------------------- | ---------------------------------------- |
| `X-RateLimit-Limit`     | Maximum requests allowed in the window   |
| `X-RateLimit-Remaining` | Requests remaining in the current window |
| `X-RateLimit-Reset`     | Unix timestamp when the window resets    |

When you exceed the limit, the API returns `429 Too Many Requests`. Your agent should read `X-RateLimit-Reset` and back off until the window resets before retrying.

## Auth errors

| Status                  | Meaning                                          | Fix                                                                           |
| ----------------------- | ------------------------------------------------ | ----------------------------------------------------------------------------- |
| `401 Unauthorized`      | API key is missing or invalid                    | Check that the `Authorization` header is present and the key value is correct |
| `402 Payment Required`  | Subscription limit reached for channels or posts | Review your plan limits in **Settings → Billing**                             |
| `429 Too Many Requests` | Rate limit exceeded                              | Wait for the window to reset (see `X-RateLimit-Reset`) then retry             |

## Best practices

<Tip>
  Create a separate API key for each agent, integration, or pipeline. Named keys make it easy to see which system made which requests in your audit log — and if one key is ever compromised, you can revoke it without affecting any other consumer.
</Tip>

<Warning>
  Never commit API keys to source code or check them into version control. Use environment variables or a secrets manager (such as `VOLTA_API_KEY` in your `.env` file) and make sure `.env` is in your `.gitignore`. A leaked key gives full Agent Bridge access to anyone who finds it.
</Warning>