> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iblueprint.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate API requests with iBlueprint API keys

> Learn how to generate an API key, attach it as a Bearer token to every request, and handle authentication errors returned by the iBlueprint API.

Every request to the iBlueprint API must include a valid API key. iBlueprint authenticates requests using the standard HTTP `Authorization` header with a Bearer token scheme. There are no cookies, sessions, or OAuth flows required for direct API access.

## Generating an API key

1. Open the iBlueprint dashboard and go to **Settings → API Keys**.
2. Click **New API key**, give it a descriptive name, and confirm.
3. Copy the key immediately — it is shown only once.

Store your key in a secure location such as an environment variable or a secrets manager. Never commit it to source control.

## Attaching the key to requests

Include your API key as a Bearer token in the `Authorization` header of every request:

```
Authorization: Bearer YOUR_API_KEY
```

### Example

<CodeGroup>
  ```bash curl theme={null}
  curl -G "https://api.iblueprint.ai/api/trpc/blueprint.list" \
    --data-urlencode 'input={"json":{"page":1,"limit":10}}' \
    -H "Authorization: Bearer ibp_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  ```

  ```javascript JavaScript theme={null}
  const response = await fetch(
    'https://api.iblueprint.ai/api/trpc/blueprint.list?' +
      new URLSearchParams({ input: JSON.stringify({ json: { page: 1, limit: 10 } }) }),
    {
      headers: {
        Authorization: 'Bearer ibp_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
      },
    }
  );
  const body = await response.json();
  const blueprints = body.result.data.json;
  ```
</CodeGroup>

## Authentication errors

If your key is missing or invalid, the API returns `HTTP 401 Unauthorized`:

```json theme={null}
{
  "error": {
    "json": {
      "message": "UNAUTHORIZED",
      "code": -32001,
      "data": {
        "code": "UNAUTHORIZED",
        "httpStatus": 401
      }
    }
  }
}
```

If your key is valid but lacks permission for the requested resource, the API returns `HTTP 403 Forbidden`.

## Key rotation

API keys do not expire automatically, but you can revoke them at any time from **Settings → API Keys**. After revoking a key, requests using it receive a `401` immediately. Issue a new key before revoking the old one to avoid downtime in any integrations that depend on it.
