> ## Documentation Index
> Fetch the complete documentation index at: https://docs.trophy.so/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Integrate securely with the API using account-level API keys transmitted in the `X-API-KEY` header.

<h2 id="api-keys">
  API Keys
</h2>

Every account can create a maximum of 3 API keys from the [Integration Page](https://app.trophy.so/integration). If you've already signed up, you'll have created one during onboarding.

Trophy keeps track of and displays when each API key in your account was created and when it was last used so you can easily keep track of usage.

<Frame>
  <img height="200" noZoom src="https://mintcdn.com/trophy/TwFTsrgzoQZ8iwx1/assets/api/authentication/api_keys.png?fit=max&auto=format&n=TwFTsrgzoQZ8iwx1&q=85&s=8732eb5e00fd50e58a3995a440ed77c9" data-path="assets/api/authentication/api_keys.png" />
</Frame>

<h3 id="anatomy-of-an-api-key">
  Anatomy of an API key
</h3>

Each API key is made up of 2 parts separated by a period:

```bash theme={null}
{prefix}•{body}
```

* The *prefix* is the first 8 characters. It's readable and will always stay the same so it's easily recognisable.
* The *body* is the secret part, and is only shown to you once when you create the key.

<Note>
  When using the API, both parts of your API key must be sent in the `X-API-KEY`
  header.
</Note>

<h3 id="authenticating-requests">
  Authenticating Requests
</h3>

When making requests to the API, make sure to include **both** parts of your API key in the `X-API-KEY` header as in this example:

```bash theme={null}
curl https://app.trophy.so/api/users/<userId>/metrics/<key> \
     -H "X-API-KEY: ********.***********************"
```

If you do not pass an API key, or your API key is invalid, you'll receive a `401` response code.

<h2 id="managing-api-keys">
  Managing API keys
</h2>

There are a few different operations you can perform on API keys from within your Trophy dashboard to manage your integration.

<Frame>
  <img height="200" noZoom src="https://mintcdn.com/trophy/TwFTsrgzoQZ8iwx1/assets/api/authentication/api_key_options.png?fit=max&auto=format&n=TwFTsrgzoQZ8iwx1&q=85&s=c0093894858d5ac5eb41dabcd751818d" data-path="assets/api/authentication/api_key_options.png" />
</Frame>

<h3 id="rotating-keys">
  Rotating keys
</h3>

API keys can be rotated if you want to change them for any reason. At the point of rotation, the original API key will no longer function and any requests still using it will begin receiving `401` responses immediately.

<Note>
  Note that when rotating keys, both the prefix and the body will change.
</Note>

<h3 id="revoking-keys">
  Revoking keys
</h3>

API keys can also be revoked entirely at which point they become *Inactive*. At the point of revocation, the API key will no longer function and any requests still using it will begin receiving `401` responses immediately.

Once revoked you can re-activate the API key at any time.

<Note>
  Neither the prefix or the body of the key change when revoked or re-activated.
</Note>

<h3 id="deleting-api-keys">
  Deleting API keys
</h3>

If you're 100% sure you no longer need an API key, they can be deleted.

<Error>Once API keys are deleted, they cannot be recovered.</Error>

<h2 id="get-support">
  Get Support
</h2>

Want to get in touch with the Trophy team? Reach out to us via [email](mailto:support@trophy.so). We're here to help!