# Authentication

> How AI agents authenticate against Tatum: pass your API key in the x-api-key header on every request. No OAuth flow. Where to store keys for MCP, apps, and CI.

- canonical: <https://ai.tatum.io/auth>
- html: <https://ai.tatum.io/auth>

## API key

Every call carries an API key in the `x-api-key` request header. Get one from the Tatum dashboard.

```http
GET /v4/data/wallet/portfolio?address=0x...&chain=ethereum-mainnet
Host: api.tatum.io
x-api-key: tatum_xxx
```

## Environment variables

- `TATUM_API_KEY` - used by the Tatum MCP server and the Integration Skill.
- Never hardcode the key. Never commit it. Never expose it client-side.

## Where to put it

| Runtime | Location |
| --- | --- |
| Tatum MCP | `env.TATUM_API_KEY` in your MCP client config |
| Backend service | `.env` consumed by your framework |
| CI / CD | Secret store (GitHub Actions, GitLab CI, etc.) |

## Get an API key

Sign up at <https://dashboard.tatum.io>.