> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gravitygtm.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API key format, where to get one, and how to rotate keys

Every request to Horizon (REST or MCP) is authenticated with a
single Bearer API key.

## Key format

```
gk_live_<64 hex characters>
```

Keys are 32 random bytes, hex-encoded, prefixed with `gk_live_`. There is
currently only one environment (no separate `gk_test_` keys) — every key is
a live key that spends real credits.

## Sending the key

```http theme={null}
Authorization: Bearer gk_live_YOUR_KEY
```

Requests with a missing or malformed `Authorization` header get a `401` with
`error: "unauthorized"`. See [Errors & Rate Limits](/horizon/errors-and-rate-limits)
for the full error shape.

## Getting a key

Keys are issued automatically, no waiting on a human required. Two ways to
get one:

* **Add Horizon to Slack** and follow the signup prompt — this is the
  fastest path if your team wants conversational access alongside the API.
  See [Add Horizon to Slack](/horizon/slack-install).
* **Call `POST /api/stripe/checkout`** directly with
  `{ "pack": "free" }` (a \$0, card-on-file free trial) or a paid pack id
  (`pack_49` / `pack_199` / `pack_499` — see
  [Credits & Pricing](/horizon/credits-and-pricing)). The response is a normal
  Stripe Checkout URL; completing it triggers your key + starting credit
  balance to be emailed within a minute.

Either path issues the same kind of key — a Slack-originated key works
against the REST API and MCP server exactly like one issued from the REST
flow, and vice versa, since Slack, REST, and MCP all draw from one shared
credit balance.

New keys are issued with **200 free trial credits**.

## Rotating a key

Keys can be rotated without downtime: a new key is issued while the old one
keeps working for a **24-hour grace period**, so in-flight integrations have
time to switch over before the old key stops authenticating. Ask your
Horizon contact to rotate a key for you; there's no self-service
rotation endpoint yet.

A key can also be revoked immediately and permanently if it's compromised —
mention this when you reach out if that's the situation.

## Storage and display

Only a SHA-256 hash of your key is ever stored — the plaintext key is shown
to you exactly once, at issuance. Keep it somewhere safe (a secrets manager,
not a repo) since it can't be retrieved again, only rotated.
