> ## Documentation Index
> Fetch the complete documentation index at: https://docs.breezeblue.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate with xi-api-key or Authorization Bearer.

Most endpoints take an API key in the `xi-api-key` header. Account-management endpoints such as `/v1/api-keys` require a browser session. Create keys on the [API keys page](https://breezeblue.ai/app/developer/api-keys), or use `breeze login` to create a device-specific CLI key.

## Sending your API key

Breeze accepts the key two ways. Both are equivalent.

* `xi-api-key` header
* `Authorization: Bearer <key>` header

When both are present, `xi-api-key` takes precedence.

```http theme={null}
GET /v1/voices HTTP/1.1
Host: api.breeze.blue
xi-api-key: brz_xxxxxxxxxxxxxxxx
```

```http theme={null}
GET /v1/voices HTTP/1.1
Host: api.breeze.blue
Authorization: Bearer brz_xxxxxxxxxxxxxxxx
```

```bash theme={null}
# xi-api-key
curl https://api.breeze.blue/v1/voices \
  -H "xi-api-key: $BREEZE_API_KEY"

# Bearer
curl https://api.breeze.blue/v1/voices \
  -H "Authorization: Bearer $BREEZE_API_KEY"
```

## Key lifecycle

* Keys have a stable `key_id`, `prefix`, and `status`.
* Breeze returns the plaintext `api_key` only when you create or rotate a key. Store it immediately; it cannot be viewed again.
* CLI login uses the same hash-only key model. The browser authorizes a short login flow, then the CLI exchanges a local verifier for one plaintext key response and saves it in `~/.breeze`.
* Use `key_id` for key management, request-log attribution, and support investigations. API-key authenticated responses include `x-breeze-api-key-id`.
* Status is `active`, `expiring`, or `disabled`. Disabled keys return `401 AUTH_REQUIRED` immediately and can be re-enabled.
* Delete a key to remove it entirely. Use one key per environment; the last-used timestamp surfaces stale keys.

## Common errors

* `401 AUTH_REQUIRED`: missing, malformed, deleted, or disabled key.
* `403 FORBIDDEN`: valid key with no access to the requested resource.

See the full list on the [errors page](/reference/errors).

## Continue from here

<Columns cols={2}>
  <Card title="SDK quickstart" icon="rocket" href="/quickstart">
    Create a key, install the SDK, and make your first text-to-speech request.
  </Card>

  <Card title="CLI auth" icon="terminal" href="/cli/reference/auth">
    Use browser login, local profiles, and stdin key entry from the command line.
  </Card>

  <Card title="API reference" icon="braces" href="/api-reference/introduction">
    Review base URL, content types, generated endpoint docs, and response conventions.
  </Card>

  <Card title="Errors" icon="triangle-alert" href="/reference/errors">
    Handle auth, validation, billing, concurrency, and generation failures.
  </Card>
</Columns>
