> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cogito.decart.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys, header format, and best practices.

Cogito authenticates with bearer tokens — the same shape OpenAI uses, so any OpenAI-compatible SDK works without modification.

```http theme={null}
Authorization: Bearer cog-live-...
```

## Creating keys

1. Sign in at [cogito.decart.ai](https://cogito.decart.ai).
2. Open **Dashboard → API keys**.
3. Click **Create**, name the key (we recommend naming it after the environment — `production-api`, `local-dev`), and copy the secret immediately. The full secret is shown once.

## Best practices

* **One key per environment**. Local dev, staging, and production should each have their own key.
* **Rotate on schedule**. We surface `last_used_at` on every key — keys that haven't been used in 30 days are good rotation candidates.
* **Revoke instantly**. Compromised keys can be revoked from the dashboard; revocation propagates within seconds.
* **Don't commit keys**. Use environment variables (`COGITO_API_KEY`) or your platform's secret manager.

## Scopes

For MVP, every key has full account scope. Per-key scoping (read-only, model-specific, monthly budget) ships in the next release.

## Errors

A request without a valid key returns:

```json theme={null}
{
  "error": {
    "type": "invalid_request_error",
    "code": "invalid_api_key",
    "message": "The API key provided is missing or revoked.",
    "request_id": "req_..."
  }
}
```

Always log the `request_id` — we trace it through every layer of the gateway and inference cluster, so support can find your request immediately.