# Authentication

> Bearer keys, where to keep them, and how to correlate requests when something goes wrong.

Every `/v1/*` endpoint authenticates with an API key. Send it as a bearer token (preferred):

```bash
curl -s https://api.kalpalabs.ai/v1/models \
  -H "Authorization: Bearer $KALPA_API_KEY"
```

or, where headers are awkward to compose, as `X-API-Key`:

```bash
curl -s https://api.kalpalabs.ai/v1/models -H "X-API-Key: $KALPA_API_KEY"
```

A missing or invalid key returns `401` in the standard envelope:

```json
{ "error": { "type": "authentication_error", "message": "Invalid API key.", "request_id": "…" } }
```

## Keys

- Keys are provisioned per team while the API is in early access — write to [hello@kalpalabs.ai](mailto:hello@kalpalabs.ai) to get one, rotate one, or raise its limits.
- Each key carries its own [rate limits](/rate-limits-and-errors) and its own [usage meter](/usage).
- Treat the key like a password: call the API from your servers, not from browsers or shipped apps. If a key leaks, ask us to rotate it.

## Request IDs

Every response carries an `X-Request-ID` header, echoed into error envelopes and our logs. Pass your own `X-Request-ID` header to correlate with your systems, and include the id when reporting a problem.
