---
title: Authentication | Lightcone
description: Get your API key and configure the SDK.
---

All API requests require a Bearer token. The SDKs read your key from the `TZAFON_API_KEY` environment variable by default.

## Get your API key

1. Sign up at [lightcone.ai](https://lightcone.ai)
2. Go to the [developer dashboard](https://lightcone.ai/developer)
3. Copy your API key (starts with `sk_`)

## Set the environment variable

Terminal window

```
export TZAFON_API_KEY=sk_your_api_key_here
```

The SDK will pick this up automatically:

```
from tzafon import Lightcone


client = Lightcone()  # reads TZAFON_API_KEY from environment
```

```
import Lightcone from "@tzafon/lightcone";


const client = new Lightcone();  // reads TZAFON_API_KEY from environment
```

## Pass the key explicitly

If you prefer not to use environment variables:

```
client = Lightcone(api_key="sk_your_api_key_here")
```

```
const client = new Lightcone({ apiKey: "sk_your_api_key_here" });
```

## Base URL

The SDK defaults to `https://api.tzafon.ai`. Override it for custom deployments:

```
client = Lightcone(base_url="https://your-deployment.example.com")
```

```
const client = new Lightcone({ baseURL: "https://your-deployment.example.com" });
```

You can also set the `LIGHTCONE_BASE_URL` environment variable.

## Configure timeouts and retries

```
client = Lightcone(
    timeout=30.0,      # seconds
    max_retries=3,
)
```

```
const client = new Lightcone({
  timeout: 30000,     // milliseconds
  maxRetries: 3,
});
```

Both SDKs retry automatically on connection errors and 5xx responses (default: 2 retries).

## Using raw curl

If you’re not using an SDK, pass the key as a Bearer token:

Terminal window

```
curl https://api.tzafon.ai/computers \
  -H "Authorization: Bearer $TZAFON_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"kind": "browser"}'
```

## Rate limits

- 10 failed authentication attempts in 10 minutes will block your IP
- Concurrent session limits depend on your plan tier
- If rate limited, you’ll receive a `429` response with retry guidance

Never commit your API key to source control. Use environment variables or a secrets manager.

## See also

- [**Quickstart**](/guides/quickstart/index.md) — use your API key to create your first browser session
- [**Troubleshooting**](/guides/troubleshooting/index.md) — fix authentication errors and rate limits