> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getlokki.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate your requests to the Lokki API

## API Key Authentication

All API endpoints require authentication using an **Access Token** passed in the `x-api-key` request header.

Requests without a valid token or with an incorrect header name will return a `401 Unauthorized` response.

### Example Request

```http theme={null}
GET /v2/external/stores
Host: prod.api.eu-west-3.lokki.rent
x-api-key: YOUR_ACCESS_TOKEN
```

<Note>
  Replace `YOUR_ACCESS_TOKEN` with your actual token provided by Lokki.
</Note>

## How to Obtain an Access Token

To obtain an access token, please contact your **Lokki representative**. They will guide you through the partnership process and provide the necessary credentials for both Staging and Production environments.

## Environments

Access tokens are environment-specific. A token generated for Staging will not work on Production, and vice-versa.

| Environment    | Example Token Format |
| -------------- | -------------------- |
| **Staging**    | `lokki_sk_test_...`  |
| **Production** | `lokki_sk_live_...`  |

## Key Scopes

API keys are scoped to limit access based on your partnership agreement. These scopes are defined at three levels:

1. **Domain level**: Access to specific data sets (e.g., `stores`, `items`).
2. **Action level**: Permission to perform specific actions (`read`, `write`).
3. **Route level**: Access to specific HTTP methods (e.g., `GET`, `POST`).

<Info>
  If you receive a `403 Forbidden` error, your token might not have the required scope for that specific endpoint.
</Info>

## Security Best Practices

* **Keep Your Token Secret**: Treat your access token like a password. Never expose it in client-side code (browsers, mobile apps) or public repositories.
* **Use Environment Variables**: Store your tokens in secure environment variables or a secret management system.
* **Rotate Keys**: If you suspect a token has been compromised, contact your Lokki representative immediately to revoke it and issue a new one.
