> ## Documentation Index
> Fetch the complete documentation index at: https://docs.filemonk.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate your API requests using a per-store API key passed in the X-Auth-Token header.

Every request to the Filemonk API must include your store's API key in the `X-Auth-Token` header.

## Getting your API key

<Steps>
  <Step title="Open Filemonk settings">
    In your Shopify admin, open the Filemonk app and navigate to **Settings**.
  </Step>

  <Step title="Go to the Other tab">
    Select the **Other** tab and scroll to the **API** section.
  </Step>

  <Step title="Copy your key">
    Click **Copy** to copy the API key to your clipboard. The key is masked by default — you can copy it without revealing it.
  </Step>
</Steps>

## Using the API key

Include the key in the `X-Auth-Token` header of every request:

```bash theme={null}
curl -X GET 'https://app.filemonk.io/api/v1/external/orders' \
  -H 'X-Auth-Token: fm_api_key_your_key_here'
```

<ParamField header="X-Auth-Token" type="string" required>
  Your store's API key. Starts with `fm_api_key_`.
</ParamField>

## Error responses

If authentication fails, the API returns a `401 Unauthorized` response:

<Tabs>
  <Tab title="Missing key">
    ```json theme={null}
    {
      "error": "API key is required"
    }
    ```

    You did not include the `X-Auth-Token` header.
  </Tab>

  <Tab title="Invalid key">
    ```json theme={null}
    {
      "error": "Invalid API key"
    }
    ```

    The key does not match any store. Verify you copied the full key.
  </Tab>
</Tabs>

## Resetting your API key

If your API key is compromised, you can reset it from the same **Settings > Other > API** section:

1. Click **Reset** next to the API key field.
2. Confirm the reset in the modal dialog.
3. Copy the new key and update all your integrations.

<Warning>
  Resetting your API key invalidates the previous key immediately. Any integration using the old key will stop working until updated.
</Warning>

## Security best practices

* Store your API key in environment variables or a secrets manager — never hard-code it.
* Do not expose the key in client-side code, browser requests, or public repositories.
* Use HTTPS for all API requests (the API only accepts HTTPS).
* Reset the key promptly if you suspect it has been exposed.
