> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lavendly.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Bearer-token auth. Idempotency keys are recommended.

Every API request authenticates with a bearer token:

```bash theme={null}
curl https://api.lavendly.ai/v1/workflows \
  -H "Authorization: Bearer lv_live_…"
```

| Header            | Required | Purpose                                                           |
| ----------------- | -------- | ----------------------------------------------------------------- |
| `Authorization`   | Yes      | `Bearer <api_key>`. Scopes the request to your account.           |
| `Idempotency-Key` | No       | Opaque string. Same value within 5 min returns the same response. |

## Getting an API key

Sign in at <a href="https://lavendly.ai">lavendly.ai</a> and
create a key from your dashboard. Keys are prefixed `lv_live_` for
production and `lv_test_` for the sandbox.

<Warning>
  API keys are secrets. Treat them like passwords. The platform never
  emails them back to you; if you lose one, rotate it from the
  dashboard.
</Warning>

## Token scopes

A single API key grants access to everything in your account. We don't
ship fine-grained per-operation scopes yet, if you need them for a
specific integration, get in touch.

## When you're embedding Lavendly in another product

If you're letting your own users render through your Lavendly
account, do **not** ship the key to the browser. Put your own auth
in front of any path that touches Lavendly and call the API
server-side with your key.

## Recommended: idempotency on every paid call

Every mutating endpoint that costs money accepts `Idempotency-Key`.
The header value is scoped per-account and cached for 5 minutes, a
retry returns the same response, byte-for-byte, without re-executing
the mutation.

See [Idempotency](/guides/idempotency) for the full pattern.