> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anyformat.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate your API requests using API keys

## Getting Your API Key

1. Log in to your [anyformat account](https://app.anyformat.ai)
2. Navigate to the [API Key page](https://app.anyformat.ai/api-key) to generate a new API key and **copy it**. For security reasons, the API key will only be displayed once.

## Authentication Method

Use your API key in the `Authorization` header with Bearer format:

```bash theme={null}
Authorization: Bearer YOUR_API_KEY
```

## Using Your API Key

Include your API key in the request headers for all API requests:

<CodeGroup>
  ```bash curl theme={null}
  curl "https://api.anyformat.ai/v2/workflows/" \
       -H "Authorization: Bearer YOUR_API_KEY"
  ```

  ```python Python (SDK) theme={null}
  import os
  from anyformat.sdk import Client

  # Pass explicitly
  client = Client(api_key="your_api_key_here")

  # Or read from the environment
  client = Client(api_key=os.environ["ANYFORMAT_API_KEY"])
  ```

  ```python Python (requests) theme={null}
  import requests

  headers = {
      "Authorization": "Bearer YOUR_API_KEY"
  }

  response = requests.get(
      "https://api.anyformat.ai/v2/workflows/",
      headers=headers
  )
  ```

  ```javascript JavaScript theme={null}
  const response = await fetch('https://api.anyformat.ai/v2/workflows/', {
    method: 'GET',
    headers: {
      'Authorization': 'Bearer YOUR_API_KEY'
    }
  });

  const data = await response.json();
  ```

  ```java Java theme={null}
  import java.net.http.HttpClient;
  import java.net.http.HttpRequest;
  import java.net.http.HttpResponse;
  import java.net.URI;

  HttpClient client = HttpClient.newHttpClient();
  HttpRequest request = HttpRequest.newBuilder()
      .uri(URI.create("https://api.anyformat.ai/v2/workflows/"))
      .header("Authorization", "Bearer YOUR_API_KEY")
      .GET()
      .build();

  HttpResponse<String> response = client.send(request,
      HttpResponse.BodyHandlers.ofString());
  ```

  ```go Go theme={null}
  package main

  import (
      "net/http"
  )

  func main() {
      client := &http.Client{}
      req, _ := http.NewRequest("GET", "https://api.anyformat.ai/v2/workflows/", nil)
      req.Header.Add("Authorization", "Bearer YOUR_API_KEY")

      resp, _ := client.Do(req)
  }
  ```

  ```rust Rust theme={null}
  use reqwest;

  fn main() {
      let client = reqwest::blocking::Client::new();
      let response = client.get("https://api.anyformat.ai/v2/workflows/")
          .header("Authorization", "Bearer YOUR_API_KEY")
          .send()
          .unwrap();

      println!("{}", response.text().unwrap());
  }
  ```
</CodeGroup>

<Note>
  The API accepts the `Authorization` header in any casing (for example, `authorization`, `Authorization`, or `AUTHORIZATION`). HTTP headers are case-insensitive per the HTTP specification.
</Note>

## API Key Scoping

Each API key is tied to a single organization. All API requests made with that key operate within that organization's data — you can only access workflows, files, and webhooks belonging to that organization.

* A user who belongs to multiple organizations needs a separate API key for each one
* Generating a new API key automatically revokes the previous key for the same organization
* API keys grant the same access level as the user who created them (there are no granular scopes or permission restrictions on keys)

<Note>
  API keys are managed in the [anyformat platform](https://app.anyformat.ai/api-key). The API does not expose key management endpoints.
</Note>

## Public Endpoints

The following endpoints do not require API key authentication:

* `/` - API root
* `/health/` - Health check
* `/schema/` - OpenAPI schema
* `/docs/` - Swagger UI documentation

## Revoking a Key

<Card title="Generate a new key to automatically revoke the old one." icon="key" href="https://app.anyformat.ai/api-key" />

## Security Best Practices

1. **Never share your API key** - Treat it like a password
2. **Rotate keys periodically** - Generate new keys on a regular schedule
3. **Use environment variables** - Store keys in environment variables in production
4. **Monitor key usage** - Watch for suspicious activity in your account
5. **Never expose in client-side code** - API keys should only be used server-side

<Note>
  If you need to generate a new API key or suspect your key has been compromised, visit the [API Key page](https://app.anyformat.ai/api-key) in your anyformat app immediately.
</Note>