> ## Documentation Index
> Fetch the complete documentation index at: https://docs.radion.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate WebSocket connections with your Radion API key.

Every WebSocket connection needs a valid API key. Send it as a header in the WebSocket upgrade request:

```http theme={null}
X-API-Key: YOUR_API_KEY
```

Most WebSocket client libraries let you set custom headers for the upgrade request.

## Public JWT keys

If you connect with a [public JWT key](/api/authentication#public-jwt-keys) (`pk_jwt_...`), also send the user's token in the `Authorization` header:

```http theme={null}
X-API-Key: pk_jwt_YOUR_PUBLIC_KEY
Authorization: Bearer USER_JWT
```

## From a browser

Browsers cannot set headers on a WebSocket handshake. For that one case, pass the credentials as query parameters instead:

```text theme={null}
wss://api.radion.app/ws?api-key=YOUR_API_KEY&token=USER_JWT
```

Use `token` only with a public JWT key. Radion reads query parameters on the WebSocket upgrade only, never on plain HTTP requests.

<Warning>
  Prefer headers. Proxies and servers log URLs, so a key in the query string can
  leak into their logs. Use the query string only when your client cannot set
  headers, such as a browser `WebSocket`.
</Warning>

The key you connect with sets the [rate limits](/websockets/rate-limits) for that connection. Radion checks the key again about every 30 seconds while the connection is open. If the key is revoked, Radion closes the connection with a `key_revoked` [error frame](/websockets/frames#error-frames).

If the key is missing or wrong, the upgrade is rejected. A bad key returns HTTP `401`.
