> ## Documentation Index > Fetch the complete documentation index at: https://docs.ocoya.com/llms.txt > Use this file to discover all available pages before exploring further. # Authentication > How to authenticate requests to the Ocoya REST API. ## Base URL The current REST API endpoint is: ```txt theme={null} https://app.ocoya.com/api/_public/v1 ``` ## Header Send your API key in the `X-API-Key` header. ```http theme={null} X-API-Key: YOUR_API_KEY Content-Type: application/json Accept: application/json ``` [Create API key](https://app.ocoya.com/general/settings/api) ## Test Your API Key Call `/me` to verify the key. ```bash cURL theme={null} curl -X GET "https://app.ocoya.com/api/_public/v1/me" \ -H "X-API-Key: YOUR_API_KEY" ``` ```js Node.js theme={null} const response = await fetch('https://app.ocoya.com/api/_public/v1/me', { headers: { 'X-API-Key': process.env.OCOYA_API_KEY, }, }) const me = await response.json() console.log(me) ``` If the key is valid, the API responds with your user context instead of an authentication error. ## Authentication Errors If no API key is provided, the API returns `401 Unauthorized`. ```json theme={null} { "message": "Missing API token." } ``` If the API key is invalid, the API returns `403 Forbidden`. ```json theme={null} { "message": "Invalid API token." } ``` ## Security Notes API keys are designed for backend requests. Do not use them directly in browser-side code. Store API keys in environment variables or a secrets manager. Replace an API key if it appears in client code, logs, screenshots, or public repositories. ## MCP Authentication MCP does not use Ocoya API keys. MCP clients authenticate through OAuth and ask the user to approve workspace access. See [MCP](/mcp/get-started) for setup instructions.