> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bookingshake.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate your API requests with Bearer tokens

## Overview

The BookingShake API uses **Bearer token authentication** to secure all endpoints. You'll need to include your API key in the `Authorization` header of every request.

## Getting Your API Key

<Steps>
  <Step title="Log in to BookingShake">
    Access your BookingShake account at [crm.bookingshake.com](https://crm.bookingshake.com)
  </Step>

  <Step title="Navigate to Settings">
    Click on **Settings** in the main navigation menu
  </Step>

  <Step title="Open Integrations">
    Select **Integrations** from the settings sidebar
  </Step>

  <Step title="Copy Your API Key">
    Find your API key in the Integrations section and copy it to your clipboard
  </Step>
</Steps>

<Warning>
  **Keep your API key secret!** Never commit API keys to version control or expose them in client-side code. Always use environment variables or secure credential storage.
</Warning>

## Authentication Method

Include your API key in the `Authorization` header using the Bearer scheme:

```http theme={null}
Authorization: Bearer YOUR_API_KEY
```

## Code Examples

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET 'https://api.bookingshake.io/api/sources' \
    -H 'Authorization: Bearer YOUR_API_KEY' \
    -H 'Content-Type: application/json'
  ```

  ```javascript Node.js theme={null}
  const fetch = require('node-fetch');

  const apiKey = process.env.BOOKINGSHAKE_API_KEY;

  const response = await fetch('https://api.bookingshake.io/api/sources', {
    method: 'GET',
    headers: {
      'Authorization': `Bearer ${apiKey}`,
      'Content-Type': 'application/json'
    }
  });

  const data = await response.json();
  console.log(data);
  ```

  ```python Python theme={null}
  import os
  import requests

  api_key = os.environ.get('BOOKINGSHAKE_API_KEY')

  headers = {
      'Authorization': f'Bearer {api_key}',
      'Content-Type': 'application/json'
  }

  response = requests.get(
      'https://api.bookingshake.io/api/sources',
      headers=headers
  )

  data = response.json()
  print(data)
  ```

  ```php PHP theme={null}
  <?php

  $apiKey = getenv('BOOKINGSHAKE_API_KEY');

  $ch = curl_init('https://api.bookingshake.io/api/sources');

  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_HTTPHEADER, [
      'Authorization: Bearer ' . $apiKey,
      'Content-Type: application/json'
  ]);

  $response = curl_exec($ch);
  curl_close($ch);

  $data = json_decode($response, true);
  print_r($data);

  ?>
  ```
</CodeGroup>

## Testing Authentication

You can quickly test your authentication by making a simple request to retrieve your booking sources:

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET 'https://api.bookingshake.io/api/sources' \
    -H 'Authorization: Bearer YOUR_API_KEY'
  ```

  ```javascript Node.js theme={null}
  const apiKey = 'YOUR_API_KEY';

  fetch('https://api.bookingshake.io/api/sources', {
    headers: {
      'Authorization': `Bearer ${apiKey}`
    }
  })
    .then(res => res.json())
    .then(data => console.log('Authentication successful:', data))
    .catch(err => console.error('Authentication failed:', err));
  ```
</CodeGroup>

If authentication is successful, you'll receive a `200 OK` response with your booking sources.

## Common Authentication Errors

<AccordionGroup>
  <Accordion title="400 Bad Request - 'missing token'">
    **Cause:** The `Authorization` header is missing from your request.

    **Solution:** Ensure you're including the `Authorization` header with every request:

    ```http theme={null}
    Authorization: Bearer YOUR_API_KEY
    ```
  </Accordion>

  <Accordion title="400 Bad Request - 'invalid token'">
    **Cause:** The API key you provided is incorrect or has been revoked.

    **Solution:**

    * Verify you copied the complete API key without extra spaces
    * Check that you're using the correct API key from Settings > Integrations
    * Generate a new API key if the old one has been compromised
  </Accordion>

  <Accordion title="401 Unauthorized">
    **Cause:** The API key format is incorrect or malformed.

    **Solution:** Ensure you're using the Bearer authentication scheme correctly:

    ```http theme={null}
    Authorization: Bearer YOUR_API_KEY
    ```

    Not:

    ```http theme={null}
    Authorization: YOUR_API_KEY
    ```
  </Accordion>
</AccordionGroup>

## Security Best Practices

<CardGroup cols={2}>
  <Card title="Use Environment Variables" icon="code">
    Store API keys in environment variables, not in your source code.

    ```bash theme={null}
    export BOOKINGSHAKE_API_KEY=your_api_key_here
    ```
  </Card>

  <Card title="Rotate Keys Regularly" icon="rotate">
    Generate new API keys periodically and revoke old ones to minimize security risks.
  </Card>

  <Card title="Server-Side Only" icon="server">
    Never expose API keys in client-side JavaScript or mobile apps. Make API calls from your backend server.
  </Card>

  <Card title="Monitor Usage" icon="chart-line">
    Regularly review API access logs to detect any unauthorized usage patterns.
  </Card>
</CardGroup>

## Next Steps

<CardGroup cols={2}>
  <Card title="Quickstart Guide" icon="rocket" href="/api-reference/quickstart">
    Make your first API request
  </Card>

  <Card title="Create Events" icon="calendar-plus" href="/api-reference/events/create">
    Start creating bookings via the API
  </Card>
</CardGroup>
