Authentication Guide
Learn how to securely authenticate your API requests.
Overview
The ARi API uses subscription keys for authentication. Each request must include your subscription key in the request headers. This ensures that only authorized applications can access the API.
Required Header
Ocp-Apim-Subscription-Key: your-subscription-keyGetting Your Subscription Keys
Your subscription includes two keys: a primary key and a secondary key. Both keys provide the same level of access.
- Sign in to the Developer Portal
- Navigate to the Keys page
- Your primary and secondary keys will be displayed
- Click the copy button to copy a key to your clipboard
Key Rotation
We provide two keys to enable zero-downtime key rotation. Here's the recommended process for rotating your keys:
- Update your application to use the secondary key
- Deploy the changes and verify everything works
- Regenerate the primary key in the Developer Portal
- Update your application to use the new primary key
- Regenerate the secondary key for future rotation
Security Best Practices
Do
- Store keys in environment variables
- Use secrets management services
- Rotate keys periodically
- Use different keys for different environments
- Monitor API usage for anomalies
Don't
- Expose keys in client-side code
- Commit keys to version control
- Share keys via insecure channels
- Use the same key across all environments
- Ignore key compromise notifications
Example Implementation
Here's an example of how to securely configure API authentication in a Node.js application:
// config.js - Load from environment variables
const config = {
apiKey: process.env.ARIARI_API_KEY,
apiBaseUrl: 'https://api.ariari.xyz',
};
if (!config.apiKey) {
throw new Error('ARIARI_API_KEY environment variable is required');
}
export default config;
// api-client.js - Create a reusable API client
import config from './config';
export async function apiRequest(endpoint, options = {}) {
const response = await fetch(`${config.apiBaseUrl}${endpoint}`, {
...options,
headers: {
'Ocp-Apim-Subscription-Key': config.apiKey,
'Content-Type': 'application/json',
...options.headers,
},
});
if (!response.ok) {
throw new Error(`API request failed: ${response.status}`);
}
return response.json();
}Rate Limiting
The ARi API enforces rate limits to ensure fair usage and system stability. Each subscription is limited to 120 requests per minute.
Rate Limit Details
- Limit: 120 requests per minute per subscription key
- Window: Rolling 60-second window
- Response Headers: Check
X-RateLimit-RemainingandX-RateLimit-Resetheaders to track your usage - Exceeded Limit: Returns
429 Too Many Requestserror
Best Practice: Implement exponential backoff
If you receive a 429 error, wait for the time specified in the Retry-After header before retrying. Consider implementing exponential backoff for automatic retry logic.
Authentication Errors
If authentication fails, you'll receive one of these error responses:
401 Unauthorized
The request did not include a subscription key, or the key is invalid.
403 Forbidden
The subscription key is valid but does not have access to the requested resource.
429 Too Many Requests
Rate limit exceeded. Wait and retry the request.
Need Help?
If you're having trouble with authentication or have questions about security, check out our other resources: