# Authentication > Bearer keys, where to keep them, and how to correlate requests when something goes wrong. Every `/v1/*` endpoint authenticates with an API key. Send it as a bearer token (preferred): ```bash curl -s https://api.kalpalabs.ai/v1/models \ -H "Authorization: Bearer $KALPA_API_KEY" ``` or, where headers are awkward to compose, as `X-API-Key`: ```bash curl -s https://api.kalpalabs.ai/v1/models -H "X-API-Key: $KALPA_API_KEY" ``` A missing or invalid key returns `401` in the standard envelope: ```json { "error": { "type": "authentication_error", "message": "Invalid API key.", "request_id": "…" } } ``` ## Keys - Keys are provisioned per team while the API is in early access — write to [hello@kalpalabs.ai](mailto:hello@kalpalabs.ai) to get one, rotate one, or raise its limits. - Each key carries its own [rate limits](/rate-limits-and-errors) and its own [usage meter](/usage). - Treat the key like a password: call the API from your servers, not from browsers or shipped apps. If a key leaks, ask us to rotate it. ## Request IDs Every response carries an `X-Request-ID` header, echoed into error envelopes and our logs. Pass your own `X-Request-ID` header to correlate with your systems, and include the id when reporting a problem.