> ## Documentation Index
> Fetch the complete documentation index at: https://quintus.tec.br/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Public agent authentication

> How to authenticate requests to the public agents API.

## Two mechanisms

### `X-API-Key`

The `X-API-Key` starts the conversation with the Quintus backend. It is used to create the `conversation_id` and generate the initial `session_token` that will be used from that point on.

Use this header to:

* create the conversation;
* refresh the conversation token when needed;
* authenticate calls made outside the conversation context.

<Note>
  Create or manage your API keys at [app.quintus.tec.br/settings/api-keys](https://app.quintus.tec.br/settings/api-keys). For public agents, use keys in the `qts-pk-...` format.
</Note>

### `Authorization: Bearer <session_token>`

The `session_token` is a short-lived token scoped to a single conversation. After the conversation is created, the client uses this token to interact with the agent without exposing the public API key on every request.

Use the `session_token` to:

* send messages;
* retrieve the conversation;
* stream responses;
* upload files;
* terminate the session;
* send feedback.

## Recommendations

* Do not expose private API keys in public frontends.
* Handle token expiration in the client.
* Keep the `session_token` only while the conversation is active.
* Honor `Retry-After` on `429` responses.
