> ## Documentation Index
> Fetch the complete documentation index at: https://developers.bumxpress.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate merchant API requests with your API key and secret.

All protected merchant endpoints require two headers:

```http theme={null}
X-Api-Key: bmx_pk_xxx
X-Api-Secret: bmx_sk_xxx
```

| Header         | Description                                                          |
| -------------- | -------------------------------------------------------------------- |
| `X-Api-Key`    | Public key that identifies the merchant API credential.              |
| `X-Api-Secret` | Secret shown once when the key is created in the merchant dashboard. |

If authentication fails, the API returns `401 Unauthorized`.

## Credential handling

* Create API keys in the merchant dashboard.
* Store `X-Api-Secret` in a secret manager.
* Never expose API secrets in mobile apps, browsers, logs, or public repositories.
* Rotate or revoke credentials from the dashboard if a secret is exposed.

## Example

```http theme={null}
GET /customers/22222222-2222-2222-2222-222222222222
X-Api-Key: bmx_pk_xxx
X-Api-Secret: bmx_sk_xxx
```

Merchant resources are scoped to the merchant attached to the API key. A key cannot access another merchant's customers, quotes, payments, transfers, or webhook configuration.
