> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fungies.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate your API requests using public and secret keys.

The Fungies API uses API keys to authenticate requests. Every request must include valid authentication headers.

## Getting Your API Keys

You can create and manage your API keys in the [Fungies Dashboard](https://app.fungies.io/devs/api-keys).

You'll receive two types of keys:

| Key Type   | Prefix | Purpose                                             |
| ---------- | ------ | --------------------------------------------------- |
| Public Key | `pub_` | Required for all API requests                       |
| Secret Key | `sec_` | Required for write operations (POST, PATCH, DELETE) |

## Authentication Headers

Include your API keys in the request headers:

```bash theme={null}
# Required for all requests
x-fngs-public-key: pub_your_public_key_here

# Required for write operations
x-fngs-secret-key: sec_your_secret_key_here
```

## Example Request

Here's an example of a properly authenticated request:

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET "https://api.fungies.io/v0/products" \
    -H "x-fngs-public-key: pub_your_public_key" \
    -H "x-fngs-secret-key: sec_your_secret_key"
  ```

  ```javascript JavaScript theme={null}
  const response = await fetch('https://api.fungies.io/v0/products', {
    method: 'GET',
    headers: {
      'x-fngs-public-key': 'pub_your_public_key',
      'x-fngs-secret-key': 'sec_your_secret_key'
    }
  });
  ```

  ```python Python theme={null}
  import requests

  response = requests.get(
      'https://api.fungies.io/v0/products',
      headers={
          'x-fngs-public-key': 'pub_your_public_key',
          'x-fngs-secret-key': 'sec_your_secret_key'
      }
  )
  ```
</CodeGroup>

## Security Best Practices

<Warning>
  Your API keys grant access to your Fungies account. Keep them secure and never expose them publicly.
</Warning>

Follow these guidelines to protect your keys:

* **Never commit keys to version control** - Use environment variables instead
* **Don't expose keys in client-side code** - Secret keys should only be used server-side
* **Rotate keys regularly** - Generate new keys periodically and revoke old ones
* **Use separate keys for different environments** - Keep production and development keys separate

## HTTPS Required

All API requests must be made over HTTPS. Requests made over plain HTTP will be rejected.

## Error Responses

If authentication fails, you'll receive one of these responses:

| Status Code        | Meaning                                |
| ------------------ | -------------------------------------- |
| `401 Unauthorized` | Missing or invalid API key             |
| `403 Forbidden`    | Valid key but insufficient permissions |