> ## Documentation Index
> Fetch the complete documentation index at: https://docs.snipp.gg/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate all API requests using your API key.

## API Key Authentication

All Snipp API endpoints require authentication. Include your API key in the `api-key` header with every request.

```
api-key: YOUR_API_KEY
```

### Where to Find Your API Key

1. Sign in to your account.
2. Go to **Settings**.
3. Copy your API key from the **API** section.

### Examples

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET "https://api.snipp.gg/users/@me" \
    -H "api-key: YOUR_API_KEY"
  ```

  ```javascript JavaScript theme={null}
  const res = await fetch("https://api.snipp.gg/users/@me", {
    headers: { "api-key": "YOUR_API_KEY" },
  });
  const data = await res.json();
  ```

  ```python Python theme={null}
  import requests

  res = requests.get(
      "https://api.snipp.gg/users/@me",
      headers={"api-key": "YOUR_API_KEY"},
  )
  data = res.json()
  ```
</CodeGroup>

### API Key Permissions

Not all API keys have the same permissions. Each key clearly indicates whether upload access is enabled:

| Permission | Description                                                        |
| ---------- | ------------------------------------------------------------------ |
| **Read**   | Fetch your profile, list uploads, browse Discover. Always enabled. |
| **Upload** | Upload files and delete uploads. Can be toggled in settings.       |

You can check your key's permissions by calling `GET /users/@me` and reviewing the `keyHasUploadsAccess` field.

### Team Access Keys

[Teams](/concepts/plans#teams) (an Enterprise feature) each have a dedicated **access key**. A team key works exactly like a personal API key (pass it in the `api-key` header), but uploads made with it go to the team's shared gallery instead of a personal account.

```
api-key: YOUR_TEAM_ACCESS_KEY
```

Key differences when uploading with a team key:

* Files are stored in the **team gallery**, not a personal gallery.
* Uploads count against the **team's** weekly quota, never a member's personal quota.
* Team-key uploads are always created **private**, regardless of the `post-privacy` header. You can change a post to **unlisted** afterward; team posts are never **public**.
* Only the team owner can regenerate or delete the key, from the team's settings page.

Anyone who holds a team key can upload with it, so treat it like any other credential and share it only with trusted team members.

### Security Best Practices

* **Never expose your API key** in client-side code, public repositories, or shared documents.
* **Use environment variables** in production (for example, `process.env.SNIPP_API_KEY`).
* **Rotate your key** immediately if you suspect it has been compromised. You can regenerate it from your account settings.
* **Limit upload access** if your integration only needs read access.

### Error Responses

| Status | Cause                                         |
| ------ | --------------------------------------------- |
| `401`  | Missing `api-key` header                      |
| `401`  | Invalid or expired API key                    |
| `403`  | Account suspended or insufficient permissions |

All errors return a JSON object with an `error` field describing the issue.
