# API Security

## Authentication

All API requests require authentication using a Bearer token (API key).

### How to Authenticate

Include your API key in the `Authorization` header:


```bash
curl -X GET https://api.vilna.io/v1/addresses \
  -H "Authorization: Bearer YOUR_API_KEY"
```

### API Key Best Practices

- **Store securely**: Use environment variables or secrets management services
- **Never expose**: Don't include API keys in client-side code or public repositories
- **Rotate regularly**: Change your API keys periodically for better security
- **Use separate keys**: Different keys for development, staging, and production


## Webhook Security

Vilna signs all webhook requests to ensure they're authentic and haven't been tampered with.

### Security Headers in Webhooks

Every webhook request from Vilna includes these headers:

| Header | Description |
|  --- | --- |
| `X-Vilna-Signature` | HMAC-SHA256 signature of the request |
| `X-Vilna-Timestamp` | Unix timestamp when the request was sent |
| `X-Vilna-Event` | Event type (e.g., "transaction.confirmed") |
| `X-Vilna-Event-Id` | Unique event identifier |
| `X-Vilna-Idempotency-Key` | Unique key for preventing duplicate processing |


## Additional Resources

- [Webhook Integration Guide](/guides/channels#webhook-channels)
- [API Error Handling](/apis/#error-response-rfc-7807)
- [Quick Start Guide](/guides/quickstart)


*Security is our top priority. If you've found a vulnerability, please report it to [security@vilna.io](mailto:security@vilna.io)*