> ## Documentation Index
> Fetch the complete documentation index at: https://docs.scrip.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API key authentication, request headers, rate limits, and error handling

All API requests require an API key. You can create and manage keys from the [Scrip dashboard](https://app.scrip.dev).

## Using Your API Key

API keys use the `sk_` prefix. Pass your key in the `Authorization` header:

```bash theme={null}
curl https://api.scrip.dev/v1/programs \
  -H "Authorization: Bearer sk_your_api_key"
```

You can also use the `X-API-Key` header:

```bash theme={null}
curl https://api.scrip.dev/v1/programs \
  -H "X-API-Key: sk_your_api_key"
```

Each API key has full read and write access to all resources in your organization. There are no scoped or read-only keys at this time.

<Warning>
  Keep your API keys secret. Do not expose them in client-side code or commit them to version control.
</Warning>

## Rate Limits

Requests are rate-limited per organization:

| Limit          | Value              | Meaning                                                     |
| -------------- | ------------------ | ----------------------------------------------------------- |
| Sustained rate | 10 requests/second | Steady throughput the API allows continuously               |
| Burst          | 30 requests        | Maximum requests allowed in a short spike before throttling |

All API keys within the same organization share the same rate limit. When exceeded, the API returns `429 Too Many Requests` with a `Retry-After` header.

Every response includes rate limit headers:

| Header                  | Description                                                       |
| ----------------------- | ----------------------------------------------------------------- |
| `X-RateLimit-Limit`     | Maximum burst capacity                                            |
| `X-RateLimit-Remaining` | Requests remaining in the current window                          |
| `X-RateLimit-Reset`     | Unix timestamp (seconds) when the bucket is fully replenished     |
| `Retry-After`           | Seconds to wait before retrying (only present on `429` responses) |

<Note>
  For higher throughput, [contact us](mailto:support@scrip.dev) about enterprise rate limits.
</Note>

## Errors

| Status | Code                | Meaning                                                                                                    |
| ------ | ------------------- | ---------------------------------------------------------------------------------------------------------- |
| `401`  | `unauthorized`      | API key is missing, invalid, or has been revoked. Check that your `Authorization` header is set correctly. |
| `403`  | `forbidden`         | The API key is valid but does not have access to this resource.                                            |
| `429`  | `too_many_requests` | Rate limit exceeded                                                                                        |

Error responses follow a standard shape:

```json theme={null}
{
  "code": "unauthorized",
  "message": "invalid or revoked API key"
}
```
