> ## Documentation Index
> Fetch the complete documentation index at: https://getprescience.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Bearer keys, test and live environments, and key safety.

Every request carries a partner API key as a bearer token:

```bash theme={null}
curl https://www.getprescience.com/api/partner/v1/ping \
  -H "Authorization: Bearer psk_test_..."
```

There is no OAuth flow, request signing, or session token; authentication is this one header.

## Key formats

| Prefix              | Mode | Behavior                                                                      |
| ------------------- | ---- | ----------------------------------------------------------------------------- |
| `psk_test_<32 hex>` | Test | Full API, deterministic quotes, sandbox enrollments. No money movement, ever. |
| `psk_live_<32 hex>` | Live | Real employers, real onboarding. Requires live mode enabled for your account. |

The environment comes from the key: same base URL, same endpoints, same payload shapes. Resources are visible only to keys of the same mode: a test key never sees live groups, and vice versa. See [Environments](/test-mode).

Live keys work only after Prescience enables live mode for your account (see [Compliance](/resources/compliance)). Until then, live-key requests return `403 live_mode_disabled`.

## How keys are issued

Keys are provisioned by Prescience support. Test keys are available for development; live keys are issued after live mode is enabled. The raw key is shown **exactly once** at issue. We store only a SHA-256 hash, so a lost key cannot be recovered, only replaced.

To rotate or revoke a key, contact your Prescience partner engineer. Revocation is immediate, and rotation issues the new key before the old one is revoked, so you can cut over with zero downtime.

## Key safety

<Warning>
  API keys grant access to employer census data: names, dates of birth, ZIP codes. Treat them like production database credentials.
</Warning>

* **Server-side only.** Never ship a key in browser bundles, mobile apps, or client-side code. All Partner API calls should originate from your backend.
* **Secrets manager, not source control.** Inject keys via your secrets manager or environment configuration. Add `psk_test_` and `psk_live_` to your secret-scanning rules.
* **One key per environment.** Use separate test keys for development, CI, and staging so any one can be revoked without collateral damage.
* **We never log raw keys** and store them only as hashes; lookups compare hashes in constant time. Do the same: redact `Authorization` headers from your request logs.

## Auth errors

| Status | Code                 | Meaning                                                                                                                                            |
| ------ | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| 401    | `unauthorized`       | Missing, malformed, or revoked key.                                                                                                                |
| 403    | `live_mode_disabled` | Valid `psk_live_` key, but live mode isn't enabled for your account yet.                                                                           |
| 403    | `forbidden`          | The key may not access this resource.                                                                                                              |
| 429    | `rate_limited`       | Too many failed auth attempts from this source IP. Successful requests don't count toward this limiter; see [Rate limits](/resources/rate-limits). |

Full error envelope and code list in [Errors](/resources/errors).
