> ## Documentation Index
> Fetch the complete documentation index at: https://docs.spherepay.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate with the SpherePay API

> All SpherePay API requests use Bearer token authentication. Learn how to generate your API key and pass it correctly in every request.

Every request to the SpherePay API must be authenticated using an API key. SpherePay uses Bearer token authentication — you pass your key in the `Authorization` header of every request. This page covers how to generate a key, how to use it, and how to handle authentication errors.

## Obtain your API key

API keys are generated from the SpherePay dashboard:

1. Log in to [spherepay.co/dashboard](https://spherepay.co/dashboard).
2. Navigate to **Developers → API Keys**.
3. Select **Create New API Key**.
4. Copy the key immediately — it will not be shown again after you leave the page.

<Warning>
  Treat your API key like a password. Never expose it in client-side code, commit it to version control, or share it in plaintext. If a key is compromised, revoke it immediately from the dashboard and generate a new one.
</Warning>

## Make an authenticated request

Pass your API key as a Bearer token in the `Authorization` header on every request:

```bash theme={"dark"}
curl https://api.spherepay.co/v2/customer \
  -H "Authorization: Bearer YOUR_API_KEY"
```

All requests must use **HTTPS**. Requests made over plain HTTP will be rejected.

## Request headers

| Header          | Required           | Value                 |
| --------------- | ------------------ | --------------------- |
| `Authorization` | Yes                | `Bearer YOUR_API_KEY` |
| `Content-Type`  | Yes for POST/PATCH | `application/json`    |

## Authentication errors

If your API key is missing, malformed, or invalid, the API returns a `403 Forbidden` response:

```json theme={"dark"}
{
    "status": 403,
    "detail": "Forbidden resource",
    "correlationId": "e633f28100526862cadc4c592435eddd"
}
```

If you receive this error on a key you believe is valid, check the following:

* The `Authorization` header is formatted as `Bearer YOUR_API_KEY` with a single space between `Bearer` and the key — no extra characters or quotes.
* The key has not been revoked. Log in to the dashboard under **Developers → API Keys** to verify its status.
* You are sending the request over HTTPS, not HTTP.