> ## Documentation Index
> Fetch the complete documentation index at: https://docs.canaryedge.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Canary Edge API

## API Key

Every request to detection and management endpoints requires an API key. Canary accepts three header formats, checked in this order:

| Header                      | Format                 | Notes                        |
| --------------------------- | ---------------------- | ---------------------------- |
| `Ocp-Apim-Subscription-Key` | `cnry_live_xxx`        | Azure-compatible header name |
| `X-Canary-Key`              | `cnry_live_xxx`        | Canary native header         |
| `Authorization`             | `Bearer cnry_live_xxx` | Standard Bearer token        |

```bash theme={null}
curl https://api.canaryedge.com/anomalydetector/v1.1/timeseries/entire/detect \
  -H "Ocp-Apim-Subscription-Key: cnry_live_abc123..."
```

The Azure Python SDK (`azure-ai-anomalydetector`) and .NET SDK (`Azure.AI.AnomalyDetector`) send the `Ocp-Apim-Subscription-Key` header automatically when constructed with `AzureKeyCredential`. Canary keys pass SDK validation because the SDK only checks that the key is a non-empty string.

### Key Types

| Key Type | Prefix       | Use Case                             |
| -------- | ------------ | ------------------------------------ |
| Live     | `cnry_live_` | Production API calls                 |
| Test     | `cnry_test_` | Development and testing (no billing) |

Generate and manage keys in your [dashboard](https://canaryedge.com/dashboard/api-keys).

### Key Scope

API keys are scoped to an organization. All baselines, usage records, and machine data are isolated by organization ID.

## JWT Authentication

Dashboard-authenticated users can also use Clerk JWT tokens:

```bash theme={null}
curl https://api.canaryedge.com/v1/detect \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."
```

This is used internally by the Canary Edge dashboard.

## AWS Marketplace Bridge

Customers who subscribe to Canary Edge through [AWS Marketplace](https://aws.amazon.com/marketplace/) authenticate with the same API key headers described above. The difference is how the account is provisioned and how usage is billed.

### Registration Flow

When a customer subscribes via AWS Marketplace, AWS redirects them to the Canary Edge landing page with an `x-amzn-marketplace-token` query parameter. Canary resolves this token to an AWS customer identifier and provisions an organization and API key automatically.

### Billing Dimensions

AWS Marketplace usage is metered across three dimensions:

| Dimension            | Unit      | Description                                       |
| -------------------- | --------- | ------------------------------------------------- |
| `batch_api_calls`    | API calls | Calls to `entire/detect` and `changepoint/detect` |
| `stream_api_calls`   | API calls | Calls to `last/detect`                            |
| `monitored_machines` | Machines  | Active machines with baselines                    |

Usage is reported hourly to the AWS Marketplace Metering API. The minimum billable unit is 1,000 API calls per reporting period.

### Using Your API Key

Once provisioned, AWS Marketplace customers use Canary Edge exactly like direct customers. The same endpoints and headers work:

```bash theme={null}
curl https://api.canaryedge.com/anomalydetector/v1.1/timeseries/entire/detect \
  -H "Content-Type: application/json" \
  -H "Ocp-Apim-Subscription-Key: YOUR_API_KEY" \
  -d '{"series": [...], "granularity": "hourly"}'
```

No AWS SDK or IAM credentials are needed for API calls. All authentication goes through the Canary Edge API key -- AWS is only involved for billing.
