> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cesto.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys for the Cesto SDK.

The SDK authenticates with a **secret API key**. Keys look like `cesto_sk_…` and are sent
automatically with every request — you never set headers yourself.

## Getting a key

<Note>
  API keys are issued by the Cesto team — there's no self-serve portal yet.

  **Contact us to request a key:** reach out on our
  [community](https://t.me/cesto_co) or through your Cesto contact.
</Note>

## Providing the key

Pass it explicitly, or set the `CESTO_API_KEY` environment variable and omit it:

<CodeGroup>
  ```ts Explicit theme={null}
  const cesto = new Cesto({ apiKey: 'cesto_sk_…' });
  ```

  ```ts From env theme={null}
  // reads process.env.CESTO_API_KEY
  const cesto = new Cesto();
  ```
</CodeGroup>

If no key is found, the constructor throws.

## Key scopes

Keys are **read** (default) or **write**-scoped:

* **Read** covers products and position reads (`products.*`, `positions.getPositions`,
  `positions.getPosition`).
* **Write** is required for [opening](/sdk/open-position) and
  [closing](/sdk/close-position) positions
  (`open.*`, `close.*`, `positions.submit`, execution polling). A read-only key gets a
  `403 PermissionDeniedError` on write routes.

Ask for the scope you need when requesting a key.

## Backend

The SDK always targets the Cesto production backend at `https://backend.cesto.co`. There's
nothing to configure — you supply a key and go.

## Keep your key safe

<Warning>
  Treat the key like a password — keep it server-side, store it in a secret manager or
  environment variable, and never commit it to source control. To rotate or revoke a key,
  contact the Cesto team.
</Warning>
