> ## Documentation Index
> Fetch the complete documentation index at: https://docs.closient.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API key types, formats, RBAC roles, and security practices.

All API endpoints require authentication unless explicitly marked as public.

## API Key Authentication

Include your API key in the `X-API-Key` header:

```bash theme={null}
curl -H "X-API-Key: csb_AbCdEfGhIjKlMnOpQrStUvWxYzAbCdEf_1a2b3c4d" \
  https://www.closient.com/products/api/v1/products
```

### Key Format

```
<prefix>_<body>_<checksum>
```

| Component  | Description                                         |
| ---------- | --------------------------------------------------- |
| `prefix`   | Key type identifier (`csb`, `csu`, or `cpk`)        |
| `body`     | 32 random alphanumeric characters                   |
| `checksum` | 8-character lowercase hex CRC-32 digest of the body |

The checksum enables client-side format validation before making a request:

```python theme={null}
import zlib

def verify_api_key(api_key: str) -> bool:
    parts = api_key.split("_")
    if len(parts) != 3:
        return False
    prefix, body, checksum = parts
    if prefix not in ("csb", "csu", "cpk"):
        return False
    expected = format(zlib.crc32(body.encode("utf-8")) & 0xFFFFFFFF, "08x")
    return checksum == expected
```

### Key Types

| Prefix | Name        | Scope        | Use Case                                                         |
| ------ | ----------- | ------------ | ---------------------------------------------------------------- |
| `csb`  | Business    | Organization | Server-side API access with full permissions                     |
| `csu`  | User        | User         | User-scoped access, respects the user's org memberships          |
| `cpk`  | Publishable | Organization | Client-side widgets and embeds — safe to expose in frontend code |

**Publishable keys** (`cpk`) have additional controls:

* Per-key rate limits (`rate_limit_per_minute`, `rate_limit_per_day`)
* Optional expiration (`expires_at`)
* Scoped to a single organization (returns org context, not user context)

### Key Lifecycle

Keys are shown **once** at creation time. The raw key is never stored — only its SHA-256 hash.

| Field                   | Description                                          |
| ----------------------- | ---------------------------------------------------- |
| `is_active`             | Set to `false` to immediately revoke                 |
| `expires_at`            | Optional expiration datetime (rejected after expiry) |
| `last_used`             | Updated on each authenticated request                |
| `rate_limit_per_minute` | Per-key override (0 = use global default)            |
| `rate_limit_per_day`    | Per-key override (0 = use global default)            |

## Organization Roles (RBAC)

Users belong to organizations through memberships, each with a role:

| Role        | Manage Org | Billing | Members | Offers | API Keys |
| ----------- | ---------- | ------- | ------- | ------ | -------- |
| **Owner**   | Yes        | Yes     | Yes     | Yes    | Yes      |
| **Manager** | No         | Yes     | Yes     | Yes    | Yes      |
| **Billing** | No         | Yes     | No      | No     | No       |
| **Editor**  | No         | No      | No      | Yes    | No       |

Roles are evaluated per-organization. A user can be an Owner of one organization and an Editor of another.

### Permission Reference

| Permission                             | Required Role              |
| -------------------------------------- | -------------------------- |
| `organization.view_organization`       | Any member                 |
| `organization.contribute_organization` | Owner, Manager, or Editor  |
| `organization.manage_billing`          | Owner, Manager, or Billing |
| `organization.manage_api_keys`         | Owner or Manager           |
| `organization.manage_members`          | Owner or Manager           |
| `organization.delete_organization`     | Owner only                 |

## Session Authentication

Browser-based access (Dashboard, admin) uses Django session cookies. This is automatic when logged in and is primarily for internal use. API integrations should always use API key authentication.

## Security Best Practices

* **Never expose `csb` or `csu` keys** in client-side code — use `cpk` publishable keys instead
* **Store keys in environment variables**, not in source code
* **Rotate keys periodically** and revoke unused ones
* **Use per-key rate limits** on publishable keys to prevent abuse
* **Set expiration dates** on keys used for temporary integrations
