> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iron.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate Iron API requests using the X-API-Key header. Includes example requests, 401 error handling, and common troubleshooting steps.

## Authenticating Requests with API Keys

To make successful requests to the Iron API, you must authenticate every request by including a valid API key in the request headers. Authentication ensures that only authorized users can access resources or perform actions within the API. [Learn how to generate API Keys here.](/api-access)

## Including the API Key

Include your API key in the `X-API-Key` header of every request. If the API key is missing, incorrect, or revoked, the request will fail.

### Example Request

The following example demonstrates how to use your API key with a `GET` request to fetch a list of customers:

<CodeGroup>
  ```bash Bash theme={null}
  curl --request GET \
       --url https://api.sandbox.iron.xyz/api/customers \
       --header 'X-API-Key: YOUR-API-KEY' \
       --header 'accept: application/json; charset=utf-8'
  ```
</CodeGroup>

<Note>
  Replace `YOUR-API-KEY` with the actual API key you generated. The `X-API-Key` header is required for every request to authenticate your access.
</Note>

## Handling Authentication Errors

If you use an invalid or revoked API key, the server will respond with a `401 Unauthorized` error. Here’s an example response:

```bash theme={null}
< HTTP/2 401
< date: Fri, 17 Jan 2025 12:02:30 GMT
< content-type: text/plain; charset=utf-8
< content-length: 19
< strict-transport-security: max-age=15724800; includeSubDomains
<
authorization error
```

### Common Causes of Authentication Errors

1. **Incorrect API Key**: Ensure the key matches the one you generated.
2. **Revoked API Key**: Verify that the key has not been revoked.
3. **Missing API Key**: Confirm the `X-API-Key` header is included in your request.

### How to Resolve

* Double-check the API key and its permissions in the Partner Dashboard.
* Generate a new key if necessary and update your requests with the new key.