> ## Documentation Index > Fetch the complete documentation index at: https://pond.dflow.net/llms.txt > Use this file to discover all available pages before exploring further. # Authenticate Requests > How to authenticate requests with DFlow API keys During development, you can use the [developer endpoints](/get-started/endpoints) without an API key. For production use, you'll need an [API key](/get-started/api-key) to avoid rate limits. ## Using Your API Key Include your API key in all requests to the APIs by setting the `x-api-key` header. All calls to the production endpoints must use an API key. For GET requests, include the API key in the request headers: ```typescript theme={null} import "dotenv/config"; import { Keypair } from "@solana/web3.js"; import bs58 from "bs58"; const DFLOW_TRADE_API_URL = process.env.DFLOW_TRADE_API_URL ?? "https://dev-quote-api.dflow.net"; const DFLOW_API_KEY = process.env.DFLOW_API_KEY; // optional; not needed for dev endpoints const DFLOW_SETTLEMENT_MINT = process.env.DFLOW_SETTLEMENT_MINT ?? "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v"; // USDC const SOL_MINT = "So11111111111111111111111111111111111111112"; const amount = 100_000; // 0.0001 SOL (9 decimals) const slippageBps = 50; // 0.5% const keypair = Keypair.fromSecretKey( bs58.decode(process.env.SOLANA_PRIVATE_KEY ?? "") ); const headers: HeadersInit = {}; if (DFLOW_API_KEY) headers["x-api-key"] = DFLOW_API_KEY; const queryParams = new URLSearchParams(); queryParams.append("inputMint", SOL_MINT); queryParams.append("outputMint", DFLOW_SETTLEMENT_MINT); queryParams.append("amount", amount.toString()); queryParams.append("slippageBps", slippageBps.toString()); queryParams.append("userPublicKey", keypair.publicKey.toBase58()); const response = await fetch( `${DFLOW_TRADE_API_URL}/order?${queryParams.toString()}`, { headers } ).then((x) => x.json()); ``` For POST requests, include the API key alongside other headers: ```typescript theme={null} // Reuses DFLOW_TRADE_API_URL, DFLOW_API_KEY, and headers from the GET setup above. // intentData and openTransaction come from an earlier /intent call. async function submitIntent(intentData: unknown, openTransaction: { serialize(): Buffer }) { const response = await fetch(`${DFLOW_TRADE_API_URL}/submit-intent`, { method: "POST", headers: { ...headers, "Content-Type": "application/json" }, body: JSON.stringify({ quoteResponse: intentData, signedOpenTransaction: Buffer.from(openTransaction.serialize()).toString( "base64" ), }), }); return response.json(); } ``` ## WebSocket Authentication The Trade and Metadata APIs both expose WebSocket endpoints (see [Endpoints](/get-started/endpoints)). They authenticate the same way as REST: developer endpoints are open without a key, and production endpoints take the API key as an `x-api-key` header on the upgrade request, not a URL query parameter. ```typescript theme={null} // Reuses DFLOW_API_KEY from the GET setup above. const DFLOW_METADATA_API_WS_URL = process.env.DFLOW_METADATA_API_WS_URL ?? "wss://dev-prediction-markets-api.dflow.net/api/v1/ws"; const wsHeaders: Record = {}; if (DFLOW_API_KEY) wsHeaders["x-api-key"] = DFLOW_API_KEY; const ws = new WebSocket(DFLOW_METADATA_API_WS_URL, { headers: wsHeaders }); ``` ## Security Best Practices * Store your API key securely using environment variables. * Never commit API keys to version control. * Rotate your API key if it's ever exposed. ## Getting Help If you need an API key or have questions about rate limits, [reach out to us](/get-started/api-key). ## Related Resources Dev and production base URLs for the Trade, Metadata, and Proof APIs. Submit the form to get a production API key. Execute your first spot swap end-to-end. Build a Kalshi prediction market integration end-to-end. ## API Routes * [GET /order](/resources/trading-api/order/order) * [POST /submit-intent](/resources/trading-api/declarative/submit)