> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getspine.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API key setup, rotation, and security.

All Spine API endpoints authenticate via the `X-API-KEY` header.

```
X-API-KEY: sk_spine_...
```

## Create an API key

1. Go to [API keys](https://platform.getspine.ai/keys) in the developer portal.
2. Click **Create Key** and give it an optional name.
3. Copy the key immediately — it is only shown once.
4. Use the key in the `X-API-KEY` header for all Spine API requests.

Keys can be rotated or revoked from the same page.

## Security best practices

* Never expose API keys in client-side code or commit them to version control.
* Store keys in environment variables or a secrets manager.
* Rotate keys periodically and whenever a team member with access leaves.
* Revoke keys immediately if a leak is suspected.
* Use a separate key per application or service so you can rotate scope-by-scope.
