# Authentication

### API keys

[Create your API key here!](https://www.app.ocoya.com/general/settings/api)

Once the key is generated, please copy and store it immediately. We will not be able to show this API key again in the future, as we don't store API keys in plain text for security reasons. If you lose it, you will have to replace it with a new API key.

Provide your API key in an `X-API-Key` **header**, together with your request payload, where `XXXX` is your token:

```http
X-API-Key: XXXX
Content-Type: application/json
Accept: application/json
```

Use the following base URL for all API endpoints (subject to change):

{% tabs %}
{% tab title="v1" %}

```url
https://app.ocoya.com/api/_public/v1
```

{% endtab %}
{% endtabs %}

{% hint style="warning" %}
**Using API keys on the client-side**

API keys are designed for server-side usage and they should not be used directly on the client-side making AJAX calls because then they will be exposed publicly. We advise you to make all requests on the **server-side** due to security concerns.
{% endhint %}

***

### Authentication errors

You might encounter validation errors as follows.

{% tabs %}
{% tab title="When API key is not provided" %}
If you fail to provide a token, you'll get this response on all requests:

```http
Response Code: 401 Unauthorized
Content-Type: application/json
```

```json
{
  "message": "Missing API token."
}
```

{% endtab %}

{% tab title="When API key is invalid" %}
If you provide an invalid token, you might encounter validation errors when sending requests to API endpoints. They will come in the following format:

```http
Response Code: 403 Forbidden
Content-Type: application/json
```

```json
{
  "message": "Invalid API token."
}
```

{% endtab %}
{% endtabs %}