> ## Documentation Index
> Fetch the complete documentation index at: https://docs.photalabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate your API requests with an API key

export const DEVELOPER_PORTAL_URL = "https://platform.photalabs.com";

All Phota API endpoints require authentication via the `X-API-Key` header.

## Obtaining an API key

Sign up or log in to the <a href={DEVELOPER_PORTAL_URL}>Developer Portal</a> to generate an API key.

## Using your API key

Include the `X-API-Key` header in every request:

<CodeGroup>
  ```bash curl theme={null}
  curl https://api.photalabs.com/v1/phota/ \
    -H "X-API-Key: YOUR_API_KEY"
  ```

  ```python Python theme={null}
  import requests

  resp = requests.get(
      "https://api.photalabs.com/v1/phota/",
      headers={"X-API-Key": "YOUR_API_KEY"},
  )
  ```
</CodeGroup>

## Error responses

If the API key is missing or invalid, the API returns a `401 Unauthorized` response:

```json theme={null}
{
  "detail": "Missing or invalid API key in the X-API-Key header."
}
```

## Best practices

<AccordionGroup>
  <Accordion title="Keep your key secret">
    Never commit API keys to version control or expose them in client-side code. Use environment variables or a secrets
    manager to store them.
  </Accordion>

  <Accordion title="Use environment variables">
    Store your key in an environment variable and reference it in your code:

    ```bash theme={null}
    export PHOTA_API_KEY="your-key-here"
    ```

    ```python theme={null}
    import os
    import requests

    api_key = os.environ["PHOTA_API_KEY"]

    resp = requests.get(
        "https://api.photalabs.com/v1/phota/",
        headers={"X-API-Key": api_key},
    )
    ```
  </Accordion>

  <Accordion title="Rotate keys periodically">
    Generate a new key from the Developer Portal and update your applications. Revoke old keys once the new key is
    deployed.
  </Accordion>
</AccordionGroup>