# Authentication

> **How to authenticate with the API**

***

## API Key

All requests require the `x-replenit-auth-key` header:

```http
POST /customers/{tenantId}
Host: api.replen.it
Content-Type: application/json
x-replenit-auth-key: YOUR_BASE64_API_KEY
```

***

## Get Your API Key

1. Login to your Replenit panel. Reach out to Customer Success Manager if you didnt have invitation email
2. Go to **Settings** → **API Keys**
3. Click **Generate New Key**
4. Copy the key (it won't be shown again)

***

## Secure Storage

**Use environment variables:**

```bash
# .env file (add to .gitignore)
REPLENIT_API_KEY=your_base64_api_key_here
REPLENIT_TENANT_ID=your_tenant_id_here
```

**Python:**

```python
import os
from dotenv import load_dotenv

load_dotenv()
API_KEY = os.getenv('REPLENIT_API_KEY')
```

**Node.js:**

```javascript
require('dotenv').config();
const API_KEY = process.env.REPLENIT_API_KEY;
```

***

## Best Practices

1. **Never commit keys** to version control
2. **Use different keys** for dev/staging/production
3. **Don't expose keys** in client-side code (browsers, mobile apps)
4. **Rotate keys** periodically (e.g. every 6 months)

***

## Common Mistakes

### ❌ Keys in Source Code

```python
# DON'T
API_KEY = "dGVzdF9hcGlfa2V5"  # Hardcoded!

# DO
API_KEY = os.getenv('REPLENIT_API_KEY')
```

### ❌ Keys in Version Control

```bash
# Add to .gitignore
.env
config.json
secrets/
```

### ❌ Client-Side Exposure

```javascript
// DON'T use API keys in browser/mobile apps
// Use a backend proxy instead
fetch('/api/proxy/customers');
```

***

## Troubleshooting

**401 Unauthorized:**

* Check `x-replenit-auth-key` header is present
* Verify API key is correct (no extra spaces)
* Ensure key hasn't been revoked

**403 Forbidden:**

* Verify tenant ID matches your organization
* Check key permissions in panel

***

## Need Help?

Contact <support@replen.it>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://replenit.gitbook.io/replenit-docs/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.