> ## Documentation Index > Fetch the complete documentation index at: https://docs.operate.so/llms.txt > Use this file to discover all available pages before exploring further. # Authentication > Authenticate requests using API keys # Authentication The Operate API uses API key authentication. Every request must include a valid API key in the `x-api-key` header. ## How it works ``` x-api-key: your-api-key-here ``` Your API key is tied to a specific organization. All data returned by the API is automatically scoped to that organization — you don't need to pass an organization ID. ## Obtaining an API key 1. Log in to the [Operate dashboard](https://app.operate.so) 2. Go to **Settings > API Keys** 3. Click **Create API Key** and copy the generated key API keys are shown only once at creation time. Store them securely (e.g. in environment variables or a secrets manager). ## Using the API key Include the `x-api-key` header with every request: ```bash theme={null} curl -X GET https://api.operate.so/companies/list \ -H "x-api-key: sk_live_abc123..." ``` ## Error responses | Status | Meaning | | ------ | ------------------------------------------------------ | | `400` | Missing `x-api-key` header | | `401` | Invalid or expired API key | | `403` | API key does not have access to the requested resource | All authentication errors follow the standard error shape: ```json theme={null} { "success": false, "error": { "type": "authentication_error", "message": "Missing API Key" } } ``` ## Best practices Never hardcode API keys in source code. Use environment variables or a secrets manager like AWS Secrets Manager, Doppler, or Infisical. API keys should only be used in server-side code. Never expose them in client-side JavaScript, mobile apps, or public repositories. Generate new API keys and revoke old ones on a regular schedule to limit exposure from potential leaks.