# Authentication

Public Auk integrations authenticate against the canonical Auk product base at
`https://api.parametrig.com/auk/v1`.

## Current Posture

- programmatic integrations should use API keys
- browser operators should use the console over the same backend
- live and sandbox remain distinct operational environments
- the console is not a separate auth authority

## Integration Expectations

- issue a key for the environment you are working in
- send it on every authenticated API request
- treat the key as workspace-scoped operator infrastructure, not end-user identity
- rotate or revoke the key when access posture changes

## API Key Handling

Every currently published Auk endpoint expects an operator-scoped API key.

That means the API tab can use this section as the stable anchor for any
contextual note about authentication, even when the endpoint family being
highlighted lives on another concept page.

## Environment Split

The launch posture is environment-aware:

- `sandbox` for simulation, rehearsal, and non-final integration work
- `live` for real operator traffic once the relevant controls are ready

That environment split should stay visible in both the console and API tooling.

## Illustrative Request

```bash
curl https://api.parametrig.com/auk/v1/quotes \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"product":"flight_delay","context":{"partner":"demo"}}'
```

## Boundary Rule

Authentication docs should stay focused on the public contract:

- how to authenticate
- which environment you are targeting
- what support path to use if access breaks

They should not leak private control-plane or internal trust logic that is not
part of the durable external contract.