> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rewind.rest/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys and authorization

## API keys

All endpoints (except `/v1/health` and webhooks) require a Bearer token.

```bash theme={null}
curl -H "Authorization: Bearer rw_live_..." \
  https://api.rewind.rest/v1/listening/recent
```

## Key types

| Key type  | Prefix         | Access                                                                     |
| --------- | -------------- | -------------------------------------------------------------------------- |
| **Read**  | `rw_live_...`  | All GET endpoints                                                          |
| **Admin** | `rw_admin_...` | All endpoints including sync triggers, data management, and key management |

Read keys are safe to use in client-side applications. Admin keys should only be used server-side.

## Rate limiting

Each API key gets 100 requests per 60-second sliding window. Every response carries the current state in headers, and exceeding the limit returns `429 Too Many Requests`.

| Header                  | Meaning                                           |
| ----------------------- | ------------------------------------------------- |
| `X-RateLimit-Limit`     | Requests allowed per window                       |
| `X-RateLimit-Remaining` | Requests left in the current window               |
| `X-RateLimit-Reset`     | Unix timestamp (seconds) when the window resets   |
| `Retry-After`           | Seconds to wait before retrying, sent only on 429 |

## Unauthorized responses

If your key is missing or invalid:

```json theme={null}
{
  "error": "Unauthorized",
  "status": 401
}
```