> ## Documentation Index
> Fetch the complete documentation index at: https://docs.aethercitadel.cloud/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How API keys work, security model, and key rotation

## API Key Format

Every tenant receives a key in the format:

```
ack_live_a1b2c3d4e5f6789012345678901234567890123456789
```

* `ack_live_` — prefix identifies it as an Aether Citadel key
* Followed by 48 hex characters (24 random bytes) — cryptographically secure

***

## How to Use Your Key

Pass the key in the `X-Citadel-Key` header on every request:

```bash theme={null}
curl -H "X-Citadel-Key: ack_live_YOUR_KEY" \
     https://api.aethercitadel.cloud/v1/intent/generate
```

<Warning>
  Never put your API key in URLs, query parameters, or client-side JavaScript. It belongs in a server-side environment variable only.
</Warning>

***

## Security Model

| Property         | Detail                                                               |
| ---------------- | -------------------------------------------------------------------- |
| **Transmission** | HTTPS only — TLS 1.3 enforced                                        |
| **Comparison**   | Constant-time (`subtle::ConstantTimeEq`) — timing attacks impossible |
| **Storage**      | Stored as plaintext in your tenant record — rotate if compromised    |
| **Rate limit**   | Per-plan monthly verification limit (not per-second)                 |

***

## Rotate a Compromised Key

If your key is exposed, generate a new one immediately. The old key is invalidated the moment you rotate.

```bash theme={null}
curl -X POST https://api.aethercitadel.cloud/v1/tenant/rotate-key \
  -H "X-Citadel-Key: ack_live_YOUR_CURRENT_KEY"
```

```json theme={null}
{
  "new_key": "ack_live_newkeyhere...",
  "message": "Your old key is now invalid. Update your integration immediately."
}
```

<Warning>
  Update all your services before rotating. Once rotated, the old key returns 401 on every request.
</Warning>

***

## Plan Limits

| Plan                | Monthly Verifications | Price     |
| ------------------- | --------------------- | --------- |
| **Free**            | 1,000                 | Free      |
| **Citadel Starter** | 50,000                | ₹2,499/mo |
| **Citadel Pro**     | 500,000               | ₹8,499/mo |
| **Enterprise**      | Unlimited             | Custom    |

When you exceed your limit, requests return `429 Too Many Requests`. Upgrade your plan to restore access.

***

## Admin vs Tenant Keys

| Key Type                          | Used By                                   | Auth Header     |
| --------------------------------- | ----------------------------------------- | --------------- |
| **Admin key** (`CITADEL_API_KEY`) | Internal services (AetherScale, AetherDB) | `X-Citadel-Key` |
| **Tenant key** (`ack_live_xxx`)   | Your paid customers                       | `X-Citadel-Key` |

Both key types use the same header. The server validates them through the same constant-time comparison.
