> ## Documentation Index
> Fetch the complete documentation index at: https://docs.kurrier.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Kurrier API

## Overview

Kurrier exposes a **simple, unified authentication model** for its HTTP API.

All API endpoints are authenticated using **API keys** and are available under the Kurrier namespace:

```text theme={null}
https://www.kurrier.io/api/kurrier
```

***

## API Keys

API keys are managed from the **Kurrier dashboard**.

### Creating an API key

1. Go to **API Keys** in the dashboard
2. Click **Add API Key**
3. Give it a name (for example: `prod-app`, `newsletter`, `staging`)
4. Save the key securely — it is shown only once

> API keys are account-wide. Fine‑grained scopes will be added later; for now, keys have full access.

***

## HTTP API Authentication

All HTTP requests must include your API key using a Bearer token.

### Header format

```http theme={null}
Authorization: Bearer YOUR_API_KEY
```

### Example request

```bash theme={null}
curl https://www.kurrier.io/api/kurrier/me   -H "Authorization: Bearer YOUR_API_KEY"
```

If the API key is missing, invalid, or revoked, the API will respond with:

```text theme={null}
401 Unauthorized
```

***

## Identity-aware Requests

Kurrier supports multiple **sending identities** (email addresses).

When sending email or performing identity-specific actions, the request body or URL will reference an **Identity ID**.
Authentication itself is always performed using the API key.

This allows:

* One API key to manage multiple identities
* Clear audit trails
* Provider‑agnostic delivery (SES, SendGrid, etc.)

Identity IDs can be found in the **Identities** section of the dashboard.

***

## Security Best Practices

* Treat API keys like passwords
* Never commit them to source control
* Use separate keys for staging and production
* Rotate keys immediately if exposed

***

## Summary

* Kurrier uses **API key–based authentication**
* All requests authenticate via the `Authorization: Bearer` header
* API keys are managed in the dashboard
* Identity context is handled at the request level
* SMTP support will be added in a future release