Add API key format validation

[codebestia]

Description:

API keys must conform to a format (e.g. pk_live_, sk_live_, pk_test_, sk_test_ prefixes). Catching a malformed key before the first network call saves developers from cryptic 401 errors. Validation should also enforce that a live key is not accidentally used with the sandbox environment, and vice versa.

Proposed Steps:

• Write a validate_api_key(key: str, environment: Environment) function in config.py.
• Check prefix, minimum length, and character set.
• Warn (but do not raise) when a test_ key is used with PRODUCTION or a live_ key with SANDBOX.
• Call this in the ShadeClient constructor and in the global setter.

Acceptance Criteria:

• A key not matching the expected format raises AuthenticationError at configuration time, not at request time.
• A pk_test_ key used with environment="production" emits a UserWarning.
• A valid sk_live_ key passes validation without error.
• None or empty string raises AuthenticationError immediately.

[yeiner-45]

Hi! I would love to take on this issue. Validating API keys client-side is an excellent way to improve the developer experience and prevent confusing 401 network errors. I have a strong background in software logic, validation patterns, and exception handling. I can easily implement the validate_api_key logic in config.py using clean string manipulation and character set checks, ensure the proper UserWarning is emitted for environment mismatches without breaking execution, and integrate it into the ShadeClient constructor. Ready to work on this right away!

[xJeffx23]

Hello!

My name is Jefferson, and I have been contributing to open-source projects for over a year. I have participated in multiple hackathons and have experience working with SDKs, API integrations, and developer-focused tooling.

I would like to work on this issue because validating API keys at configuration time provides a much better developer experience than surfacing errors only after a request is made. Early validation can prevent common configuration mistakes and make authentication issues easier to diagnose.

My plan would be to implement a validate_api_key function that validates prefixes, minimum length, and allowed characters, while also checking for environment mismatches and emitting warnings when appropriate. I would integrate the validation into the client initialization flow and global configuration setters, then add tests covering invalid keys, empty values, warning scenarios, and valid production keys.

I would greatly appreciate the opportunity to contribute to the project. Thank you for your time and consideration!

[grantfox-oss]

🦊 GrantFox — @yeiner-45 has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #4)
2. Your PR will be reviewed by the ShadeProtocol maintainers

Good luck! Track your progress on GrantFox.