> ## Documentation Index
> Fetch the complete documentation index at: https://docs.seesaw.fun/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Personal API keys: format, usage, lifecycle, and security

Every request to the Open API — public data included — requires a **personal
API key** (PAT). Keys are bound to a SeeSaw user account: public tools see
the world, `*_my_*` tools see that account.

## Using your key

Send it as a standard bearer token on both faces:

```bash theme={null}
# REST
curl -H "Authorization: Bearer sspat_YOUR_KEY" \
  "https://api.seesaw.fun/open/v1/topics?limit=5"
```

```bash theme={null}
# MCP
claude mcp add --transport http seesaw https://api.seesaw.fun/mcp \
  --header "Authorization: Bearer sspat_YOUR_KEY"
```

There is no OAuth flow and no token exchange: the key itself is the
credential on every request.

## Key facts

| Property   | Value                                                      |
| ---------- | ---------------------------------------------------------- |
| Format     | `sspat_` prefix + 40 random characters                     |
| Shown      | **Once**, at creation — only a hash is stored server-side  |
| Expiry     | Never (revocable anytime)                                  |
| Scope      | `read` (the only scope in this beta)                       |
| Per user   | Up to **5 active keys**                                    |
| Revocation | Takes effect within \~60 seconds (validation cache window) |

## Getting and managing keys

During the beta, keys are **issued by the SeeSaw team** — contact us through
your existing SeeSaw channel with the account to attach the key to.
Self-service creation and revocation in the app is planned; this page will be
updated when it ships.

Key management lives on the app API (JWT-authenticated, `/v1/users/me/api-keys`)
— it is deliberately *not* part of the Open API surface, so a leaked key
cannot mint or revoke keys.

## Security notes

* **Treat keys like passwords.** A key can read your balance, positions, and
  P\&L. Don't paste it into shared prompts, logs, or screenshots.
* **Don't commit keys to git.** The `sspat_` prefix is designed to be
  secret-scanner friendly; treat any committed key as leaked.
* **Leaked?** Revoke it immediately and get a fresh one. Revocation
  propagates in about a minute.
* Prefer one key per client/integration so you can revoke narrowly.

## What's next

**OAuth 2.1 is planned** for a later phase — it unlocks clients where you
can't set custom headers (claude.ai web connectors, ChatGPT connectors).
API keys will keep working unchanged.
