> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sendpilot.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Secure your API requests with API key authentication

## API Key Authentication

All requests to the SendPilot API must be authenticated using an API key. Include your API key in the `X-API-Key` header of every request:

```bash theme={null}
curl https://api.sendpilot.ai/v1/campaigns \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json"
```

## Obtaining API Keys

API keys are created through the SendPilot dashboard:

1. Log in to your SendPilot account
2. Navigate to **Integrations** → **API Keys**
3. Click **Create API Key**
4. Give your key a descriptive name
5. Copy and securely store your API key

<Warning>
  API keys are only shown once when created. Store them securely immediately.
</Warning>

## API Key Security

<Warning>
  Your API keys carry sensitive privileges. Keep them secure at all times.
</Warning>

### Best Practices

* **Never commit API keys** to version control (use environment variables)
* **Rotate keys regularly** for enhanced security
* **Use descriptive names** to track which key is used where
* **Revoke unused keys** through the dashboard
* **Monitor usage** for unexpected patterns

### Storing Keys Securely

Store API keys in environment variables or a secure secrets management system:

```bash theme={null}
# .env file (never commit this)
SENDPILOT_API_KEY=sp_live_abc123xyz...
```

```javascript theme={null}
// Node.js example
const apiKey = process.env.SENDPILOT_API_KEY;

const response = await fetch('https://api.sendpilot.ai/v1/campaigns', {
  method: 'GET',
  headers: {
    'X-API-Key': apiKey,
    'Content-Type': 'application/json'
  }
});
```

```python theme={null}
# Python example
import os
import requests

api_key = os.environ.get('SENDPILOT_API_KEY')

response = requests.get(
    'https://api.sendpilot.ai/v1/campaigns',
    headers={
        'X-API-Key': api_key,
        'Content-Type': 'application/json'
    }
)
```

## Error Responses

### 401 Unauthorized

Returned when authentication fails:

```json theme={null}
{
  "statusCode": 401,
  "message": "Invalid API key",
  "error": "Unauthorized"
}
```

**Common causes:**

* Missing `X-API-Key` header
* Invalid API key
* Revoked API key

### 403 Forbidden

Returned when authentication succeeds but you lack permission:

```json theme={null}
{
  "statusCode": 403,
  "message": "API key does not have permission to access this workspace",
  "error": "Forbidden"
}
```

**Common causes:**

* API key belongs to a different workspace
* Trying to access another user's resources

## Scoping

Each API key is scoped to a specific workspace. You can only access campaigns and leads within the workspace associated with your API key.
