> ## Documentation Index
> Fetch the complete documentation index at: https://pixelcut.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication & CORS

> Authenticate requests securely.

All Pixelcut API requests require an API key sent as a header:

```http theme={null}
X-API-Key: sk_...
```

## Security best practices

* Store keys in server-side environment variables or a secrets manager
* Rotate keys if you suspect compromise
* Never embed keys in browser or mobile apps

## Example

```bash theme={null}
curl -sS "https://api.developer.pixelcut.ai/v1/credits" \
  -H "X-API-Key: $PIXELCUT_API_KEY"
```

## Browser / CORS guidance

Pixelcut APIs are designed to be called from a secure environment (your servers). Direct browser calls will typically fail due to CORS and would expose your secret key.

### Recommended architecture

* **Browser / client** uploads to **your backend**
* Your backend calls **Pixelcut API** using `X-API-Key`
* Your backend returns a signed URL or stored asset to the client

### Why this matters

* Prevents key leakage (the most common integration mistake)
* Lets you enforce your own auth, quotas, and abuse protection

<Card title="Rate limits & retries" icon="timer" href="/developer-guide/core-concepts/rate-limits" />