# Authentication

All API requests must include an API key in the `X-API-KEY` header.

## How It Works

1. Your administrator generates an API key from the DualEntry dashboard
2. Include the API key in the `X-API-KEY` header with every request
3. The API validates the key and authorizes access to your organization's data


## Example Request


```bash
curl https://api.dualentry.com/v1/invoices \
  -H "X-API-KEY: your_api_key_here" \
  -H "Content-Type: application/json"
```

## Getting an API Key

Contact your DualEntry administrator to generate an API key:

1. Navigate to **Settings** → **API Keys** in the DualEntry dashboard
2. Click **Generate New API Key**
3. Copy the key immediately (it's shown only once)
4. Store it securely in your application


**Security**: Never expose API keys in client-side code, public repositories, or logs. Use environment variables or secure secret management services.

## Authentication Errors

| Status Code | Meaning | Solution |
|  --- | --- | --- |
| **401** | Missing API key | Include `X-API-KEY` header |
| **403** | Invalid or revoked API key | Verify your API key is correct and active |


**Error Response:**


```json
{
  "success": false,
  "errors": {
    "__all__": ["API key authentication failed"]
  }
}
```

## Best Practices

- Store API keys in environment variables or secret management services
- Use separate API keys for development and production environments
- Rotate keys regularly for enhanced security
- Never commit API keys to version control


**Next:** [Learn about Rate Limiting →](/rate-limiting)