Authentication
Themra uses bearer API keys. The same key authenticates both the MCP axiom_request_attestation tool and the REST POST /v1/topup endpoint.
Key format
axm_live_<32-char base58 body>
Keys are prefixed axm_live_. The server stores only a SHA-256 hash of your key (never the plaintext), plus a short non-secret prefix hint for support. Treat your key as a secret — anyone with it can spend your quota.
Sending the key
Send it as a bearer token in the Authorization header:
Authorization: Bearer axm_live_<your key>
This is the same shape MCP clients use (Claude Desktop, Cursor) — see client configuration.
Tiers
- Anonymous tier — the three read tools (
axiom_quote_fee,axiom_fetch_attestation,axiom_fetch_audit_reference) work without a key. - Authenticated tier —
axiom_request_attestationandPOST /v1/topuprequire a valid, active key.
Getting a key (V1 — private beta)
Manual issuance during the private beta. There is no self-serve signup yet. Request a key by contacting Axiom Stack through the Request Developer Access flow. Self-serve issuance + a customer portal are on the roadmap.
Failure responses
Validation outcomes map to standard status codes (full list in Error handling):
| Code | Meaning |
|---|---|
401 | Key missing, malformed, or not recognized. |
403 | Key recognized but inactive. |
402 | Authenticated, but quota exhausted — top up. |
503 | Auth store temporarily unavailable — retry. |
No key-enumeration leak (by design): an unknown key returns
401, the same as a missing/malformed key — the API never reveals whether a particular key exists. Only an inactive (but recognized) key returns403.