# Authentication

All API endpoints require authentication via a Bearer token, except:

- `GET /health`
- `GET /v1/alerts/ws` (WebSocket upgrade endpoint)

## Getting an API Key

Canon is currently in early access. Sign up at [canonprotocol.org](https://canonprotocol.org) to request a key. We'll send you a Bearer token via email.

## Using Your Key

Include your API key in the `Authorization` header of every request:

```
Authorization: Bearer YOUR_API_KEY
```

### Example

```bash
curl -X POST https://api.canonprotocol.org/v1/validate \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"asset": "BTC", "action": "long", "size": 50000, "leverage": 10, "wallet": "0x..."}'
```

## Unauthenticated Endpoints

The following endpoints do not require authentication:

| Endpoint | Description |
|---|---|
| `GET /health` | Service health and readiness status |
| `GET /v1/alerts/ws` | WebSocket upgrade endpoint for real-time risk alerts |

## Error Responses

Missing or malformed `Authorization` header:

```json
{
  "error": "missing or invalid Authorization header"
}
```

Invalid API key:

```json
{
  "error": "invalid API key"
}
```

Both return HTTP `401 Unauthorized`.