> ## Documentation Index
> Fetch the complete documentation index at: https://doc.octopusx.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication Methods

> Explains Bearer Token, native-compatible authentication headers, login session state, and OAuth browser flows.

# Authentication Methods

The project has three access methods at the same time: API Key authentication, native-compatible authentication headers, and browser login session state. First, distinguish whether you are accessing a relay route or a `/api/*` admin route.

## Bearer Token

Used for most relay routes, including:

* `/v1/*`
* `/v1beta/*`
* `/mj/*`
* `/suno/*`
* `/kling/v1/*`
* `/dashboard/billing/*`

Request header:

```http theme={null}
Authorization: Bearer YOUR_API_KEY
```

## Claude Native-Compatible Headers

Used for `POST /v1/messages` and other pages in Claude native format:

```http theme={null}
x-api-key: YOUR_API_KEY
anthropic-version: 2023-06-01
```

## Gemini Native-Compatible Headers

Used for `GET /v1beta/models` and `POST /v1beta/models/{model}:{action}`:

```http theme={null}
x-goog-api-key: YOUR_API_KEY
```

It also supports the query parameter style `?key=YOUR_API_KEY`.

## User Login Session State

Used for `/api/user/*`, backend management, and some frontend dashboard APIs. Typical characteristics:

* Authentication is controlled by middlewares such as `UserAuth`, `AdminAuth`, and `RootAuth`.
* On failure, many APIs still return HTTP `200`, but `success` is `false`.

## OAuth Browser Flow

### 1. Generate `state`

```http theme={null}
GET /api/oauth/state
```

Successful response:

```json theme={null}
{
  "success": true,
  "message": "",
  "data": "a1b2c3d4e5f6"
}
```

### 2. Redirect to the standard OAuth provider

```http theme={null}
GET /api/oauth/{provider}
```

This route is used by browser callbacks. The server will validate `state`, fetch user information, bind or create an account, and then establish a login session state.

Common `provider` values are determined by the OAuth configurations actually enabled, for example:

* `github`
* `discord`
* `oidc`
* `linuxdo`

## Common Responses on Authentication Failure

### Relay Routes

```json theme={null}
{
  "error": {
    "message": "Invalid API key provided",
    "type": "invalid_request_error",
    "param": "",
    "code": "invalid_api_key"
  }
}
```

### `/api/*` Routes

```json theme={null}
{
  "success": false,
  "message": "Invalid token"
}
```

## Related Pages

* [Account Balance and Usage](./billing)
* [Text Series Overview](../texts/overview)
