> ## Documentation Index
> Fetch the complete documentation index at: https://developer.surefeedback.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the SureFeedback Public API using API keys.

All Public API endpoints require an **API key**. You create keys in the SureFeedback dashboard and pass them directly in every request — no login step required.

## Getting an API key

<Steps>
  <Step title="Log in to SureFeedback">
    Go to [app.surefeedback.com](https://app.surefeedback.com) and log in.
  </Step>

  <Step title="Open API Keys">
    Click your profile icon in the top bar, then select **API Keys**.
  </Step>

  <Step title="Create a key">
    Click **+ Create API Key**, give it a name, select permissions (**Read**, **Write**, **Delete**), and set an optional expiry date.
  </Step>

  <Step title="Copy the key">
    Copy the `sf_...` key immediately — it is shown **only once** and cannot be retrieved again.
  </Step>
</Steps>

## Using your API key

Pass your API key in one of two ways on every request:

### Option 1 — X-API-Key header (recommended)

```bash theme={null}
X-API-Key: sf_your_api_key_here
```

### Option 2 — Authorization Bearer header

```bash theme={null}
Authorization: Bearer sf_your_api_key_here
```

Both methods are equivalent. Example:

```bash theme={null}
curl  https://api.surefeedback.com/api/v1/comments \
  -H "X-API-Key: sf_your_api_key_here" \
  -G \
  --data-urlencode "site_id=<your_site_id>"
```

## Permissions

When creating a key, you grant it one or more permission levels:

| Permission | What it allows                                         |
| ---------- | ------------------------------------------------------ |
| **Read**   | Fetch comments, sites, projects, approvals, mockups    |
| **Write**  | Create and update comments, sites, projects, approvals |
| **Delete** | Delete comments, sites, projects, mockups              |

Assign only the permissions your integration needs.

## Key security

* Never expose API keys in client-side JavaScript or public repositories
* Rotate keys regularly — use the **Rotate** action in the API Keys dashboard
* Revoke compromised keys immediately using the **Disable** or **Delete** action
* Use expiry dates for short-lived integrations

## Errors

| Status | Meaning                                                       |
| ------ | ------------------------------------------------------------- |
| `401`  | API key is missing, invalid, or deactivated                   |
| `403`  | API key does not have the required permission for this action |
