> For the complete documentation index, see [llms.txt](https://docs.getlimy.ai/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.getlimy.ai/rest-api/authentication.md).
# Authentication
## Authentication
Limy's REST API does **not** accept your static API key directly. Instead, you exchange the static key for a short-lived **session token** (a JWT), and use that session token on every API request. This two-step model lets us revoke compromised keys instantly without invalidating in-flight traffic, and keeps long-lived secrets off the wire on every call.
#### Step 1 — Exchange your static key for a session token
Send the static key as a Bearer token to the exchange endpoint:
```bash
curl -X POST https://api.limy.ai/v1/auth/accesskey/exchange \
-H "Authorization: Bearer "
```
Successful response:
```json
{
"keyId": "K3EfyZac4vZdEMC1VIodMSguN5Ro",
"sessionJwt": "eyJhbGciOiJSUzI1NiIs..."
}
```
* `keyId` — identifier of the static key that issued this session. Useful for logging which key your service is currently using.
* `sessionJwt` — the token you'll send to the Limy API. Treat it like a password. Its expiry (`exp` claim) is encoded in the JWT itself
{% hint style="info" %}
Always cache the JWT and reuse it until close to its `exp` time — do not exchange on every API call.
{% endhint %}
#### Step 2 — Call the Limy API with the session token
Send the `sessionJwt` as a Bearer token on every API request:
```bash
curl https://api.limy.ai/v1/ \
-H "Authorization: Bearer "
```
If the token is missing, malformed, or expired, the API returns `401 Unauthorized`.
#### Error responses
| Status | Meaning | What to do |
| --------------------------------------------------- | --------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
| `401 Unauthorized` on `/v1/auth/accesskey/exchange` | Static key is invalid, revoked, or expired | Generate a new key in the admin panel |
| `401 Unauthorized` on a Limy API call | Session JWT is missing, malformed, or expired | Re-exchange the static key and retry |
| `429 Too Many Requests` | API key rate/quota reached | Retry with exponential backoff on `429` rate limit errors. For daily quota exhaustion, retry after 24 hours. |
####
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.getlimy.ai/rest-api/authentication.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.