> ## Documentation Index
> Fetch the complete documentation index at: https://digitalsurge.com.au/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to create a Digital Surge API key and authenticate your API requests with a Bearer token. Read-only and read & write keys, two-factor protection, and key safety.

The Digital Surge API uses personal **API keys** sent as Bearer tokens. You create keys yourself in the Digital Surge app — no application process, no waiting.

## Creating an API key

1. Log in to the [Digital Surge app](https://app.digitalsurge.com.au).
2. Open **Account Settings → API Keys**.
3. Click to create a new key and choose its permission level:
   * **Read Only** — view balances, transactions, portfolio data, and prices.
   * **Read & Write** — everything above, plus placing trades, managing price triggers and recurring buys, and initiating withdrawals.
4. Confirm the creation with your two-factor authentication code.
5. **Copy the key immediately.** For your security the full key is visible only briefly after creation — after that only a short prefix is shown, and it can never be displayed again.

API keys don't expire; they remain valid until you delete them. There's a small per-account limit on how many keys you can hold at once.

## Using your key

Send the key in the `Authorization` header of every private request:

```bash theme={null}
curl "https://app.digitalsurge.com.au/api/private/profile/brief/" \
  -H "Authorization: Bearer YOUR_API_KEY"
```

Public endpoints (`/api/public/...`) need no authentication at all.

## Key safety

<Warning>
  Treat an API key like a password to your account. A **Read & Write** key can move funds.
</Warning>

* Store keys in a secrets manager or environment variables — never in source control, client-side code, or shared documents.
* Use **Read Only** keys unless you genuinely need to trade programmatically.
* Create one key per integration, so you can revoke one without breaking the others.
* Delete keys you no longer use (**Account Settings → API Keys → delete**). Deletion takes effect immediately.
* API keys deliberately **cannot** create or delete other API keys, and cannot manage connected AI agents — those actions always require logging in to the app.

## What about OAuth?

The Digital Surge web and mobile apps authenticate with short-lived OAuth tokens. That flow is not intended for third-party integrations — **never ask a Digital Surge customer for their email and password**. For anything you build, use an API key; for AI assistants, use the [MCP connection](/guides/ai-agents), which lets customers sign in themselves and grants your agent its own revocable access.
