# Authentication

Ziffi has a free tier plus key-based limits. Anonymous requests share one modest rate limit, enforced per client IP, so you can try the API with no signup. Sign up and send an API key to get your own higher limit.

An API key does two things:

- **Rate limit.** Your key carries its own quota. Sending it applies that limit instead of the shared free-tier limit. This is how you move from trying the API to running on it in production.
- **Attribution.** When you send your key on a checkout hand-off, the resulting order is credited to your app. This is how brand partnerships and commission work.

Read and write both work on the free tier; a key raises your limit and attributes usage.

## Sending a key

Pass your key in the `X-Ziffi-Key` header.

```bash
curl "https://dev.ziffi.xyz/v1/search?q=serum" -H "X-Ziffi-Key: zk_live_your_key_here"
```

```python
import httpx
r = httpx.get("https://dev.ziffi.xyz/v1/search",
              params={"q": "serum"},
              headers={"X-Ziffi-Key": "zk_live_your_key_here"})
```

```javascript
const r = await fetch("https://dev.ziffi.xyz/v1/search?q=serum", {
  headers: { "X-Ziffi-Key": "zk_live_your_key_here" }
});
```

## Getting a key

Sign up and manage your keys from the [dashboard](/dashboard/). A key is shown once at creation, so store it securely. Never expose a key in client-side code that ships to end users.

## Checking your limits

```bash
curl "https://dev.ziffi.xyz/v1/quota"
```

Returns your current rate limit (free tier, or your key's limit if you send a key), plus your calls today.

## Next steps

- [Rate limits](#/rate-limits): the free tier, key limits, and how to handle `429`.
- [Errors](#/errors): the error format and codes.
