> ## Documentation Index
> Fetch the complete documentation index at: https://docs.routemcp.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API key authentication for the RouteMCP API

All RouteMCP API requests are authenticated using **API keys**. Include your key in the `Authorization` header as a Bearer token with every request:

```bash theme={null}
curl https://api.routemcp.io/api/v1/crm/contact?provider=hubspot \
  -H "Authorization: Bearer sk_live_your_api_key" \
  -H "X-End-User-Id: user-123"
```

## Getting an API Key

API keys are managed from the RouteMCP dashboard:

1. Log in to your dashboard at `https://app.routemcp.com`
2. Navigate to **API Keys**
3. Click **Generate New Key**
4. Choose `live` (production) or `test` (sandbox) environment
5. Copy the key — it's only shown once

## Key Types

| Prefix     | Environment | Description                        |
| ---------- | ----------- | ---------------------------------- |
| `sk_live_` | Production  | Real data from connected providers |
| `sk_test_` | Sandbox     | Test data, safe for development    |

Use `sk_test_` keys during development and integration testing. Switch to `sk_live_` keys for production.

## Making Requests

### cURL

```bash theme={null}
curl https://api.routemcp.io/api/v1/crm/contact?provider=hubspot \
  -H "Authorization: Bearer sk_live_your_api_key" \
  -H "X-End-User-Id: user-123"
```

### JavaScript (fetch)

```javascript theme={null}
const response = await fetch(
  "https://api.routemcp.io/api/v1/crm/contact?provider=hubspot",
  {
    headers: {
      "Authorization": `Bearer ${process.env.ROUTERMCP_API_KEY}`,
      "X-End-User-Id": "user-123",
    },
  }
);

const { data } = await response.json();
```

### Python (requests)

```python theme={null}
import os
import requests

response = requests.get(
    "https://api.routemcp.io/api/v1/crm/contact",
    params={"provider": "hubspot"},
    headers={
        "Authorization": f"Bearer {os.environ['ROUTERMCP_API_KEY']}",
        "X-End-User-Id": "user-123",
    },
)

data = response.json()["data"]
```

## Security Best Practices

1. **Never expose API keys in client-side code** — keep them server-side only
2. **Use environment variables** — don't hardcode keys in source code
3. **Use test keys for development** — `sk_test_` keys access sandbox data
4. **Rotate keys periodically** — generate a new key from the dashboard and revoke the old one
5. **Use separate keys per environment** — different keys for staging vs production

## Error Responses

| Status | Code              | Description                                                                              |
| ------ | ----------------- | ---------------------------------------------------------------------------------------- |
| `401`  | `INVALID_API_KEY` | The API key is missing, malformed, or revoked. Check the `Authorization: Bearer` header. |
| `429`  | `RATE_LIMITED`    | Too many requests — see [Rate Limits](/guides/rate-limits)                               |

```json theme={null}
{
  "success": false,
  "statusCode": 401,
  "message": "Invalid or missing API key",
  "code": "INVALID_API_KEY"
}
```
