Authentication

# Authentication

All Tools API endpoints require a valid API key. This page covers how to generate, use, and manage your key.

## Generating a Key

1. Go to [Settings > API Keys](/settings/api-keys)
2. Click **Generate API Key**
3. **Copy the key immediately** -- it is shown only once and cannot be retrieved later

Your key looks like: `sbox_tk_a1b2c3d4e5f6...` (72 characters).

You can keep up to 5 active keys per account. Revoke any key you no longer need.

## Using Your Key

Include the key as a Bearer token in the `Authorization` header of every request:

```bash
curl -X POST https://api.sboxcool.com/tools/material \
  -H "Authorization: Bearer sbox_tk_your_key_here" \
  -F "[email protected]"
```

```python
import requests

headers = {"Authorization": "Bearer sbox_tk_your_key_here"}
resp = requests.post("https://api.sboxcool.com/tools/material",
    headers=headers, files={"image": open("texture.png", "rb")})
```

```javascript
const resp = await fetch("https://api.sboxcool.com/tools/material", {
  method: "POST",
  headers: { Authorization: "Bearer sbox_tk_your_key_here" },
  body: formData,
});
```

## Revoking a Key

Go to [Settings > API Keys](/settings/api-keys) and click **Revoke Key**. Any integrations using the old key will immediately stop working.

## Security

- Keys are stored as SHA-256 hashes. We never store or log the raw key.
- Treat your key like a password. Do not commit it to version control or share it publicly.
- If your key is compromised, revoke it immediately and generate a new one.

## Tools API vs Network Storage API

These are separate key systems:

| | Tools API Key | Network Storage Key |
|---|---|---|
| Prefix | `sbox_tk_` | `sbox_ns_` / `sbox_sk_` |
| Manage at | [Settings > API Keys](/settings/api-keys) | Project > API Keys |
| Used for | Material, terrain, model tools | Game data storage |
| Limit | Up to 5 per account | Multiple per project |