# Authentication

All requests to the Monato Direct Debit API must be authenticated using an API key passed in the `x-api-key` request header.

## Generating API Keys

API keys are generated self-service from the Monato Portal under **Settings → API Keys**. There is no approval process — keys are active immediately upon creation.

Separate keys are available for the sandbox and production environments. You can generate multiple keys per environment, which is useful for isolating keys per integration or service.

## Passing Your API Key

Include your API key in every request using the `x-api-key` header:


```bash
curl -X POST https://directdebit.monato.com/charges \
  --header 'Content-Type: application/json' \
  --header 'x-api-key: YOUR_API_KEY' \
  --data '{ ... }'
```

Requests made without a valid API key will receive a `401 Unauthorized` response.

## Key Security Best Practices

- **Never expose API keys in client-side code**, public repositories, or logs.
- Store keys in environment variables or a secrets manager, not in configuration files.
- Use separate keys for sandbox and production environments.
- Rotate keys immediately if you suspect a key has been compromised — you can revoke and regenerate keys from the Portal at any time.
- If running multiple services, consider generating a dedicated key per service so you can revoke individual access without affecting others.


## Webhook Endpoint Authentication

Webhook delivery uses a separate authentication mechanism. Rather than API keys, the platform sends an `Authorization` HTTP header with a value you configure during onboarding. See [Webhooks](/products/directdebit/content/guides/api/webhooks#endpoint-authentication) for details.