# Authentication & API keys (/authentication-api-keys)


The LettrLabs public API authenticates every request with a **public API key*&#x2A;
sent in the &#x2A;*`X-API-KEY`** header. You generate the key once, inside the
LettrLabs app, and use it for all subsequent calls.

## Generate an API key [#generate-an-api-key]

In the LettrLabs app:

1. Open &#x2A;*[Automations](https://app.lettrlabs.com/automations)**.
2. Go to **Setup**.
3. Select **OpenAPI**.
4. Click **Manage**.
5. Click **Generate Key**.

Your new key is shown **once**, at creation time — copy it immediately and store
it somewhere secure (a secret manager or your server's environment). If you lose
it, generate a new key and update your integration.

<Callout type="warn">
  Treat the key like a password. It grants full access to your account's public
  API surface. Never embed it in client‑side code, a mobile app, or a public
  repository — keep it server‑side.
</Callout>

## Authenticate a request [#authenticate-a-request]

Send the key in the `X-API-KEY` header on every request:

```bash
curl https://app.lettrlabs.com/api/v1/me \
  -H "X-API-KEY: your_api_key_here"
```

A quick way to confirm a key works is `GET /v1/me`, which returns your profile.
A missing or invalid `X-API-KEY` header returns `401 Unauthorized`.

```http
GET /v1/me HTTP/1.1
Host: app.lettrlabs.com
X-API-KEY: your_api_key_here
```

Every endpoint in the [API Reference](/api-reference) shows the same
`X-API-KEY` requirement, and the interactive console lets you paste your key and
call the endpoint live.

## Rotating keys [#rotating-keys]

To rotate, generate a new key (same steps above), deploy it to your
integration, then stop using the old one. Generating a key does not
automatically revoke previous keys.