> ## Documentation Index
> Fetch the complete documentation index at: https://docs.get-spotlight.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Spotlight API.

## API keys

Every request must include your API key. Each key is scoped to a single **organization** — all data returned is automatically filtered to that organization.

You can send the key in any of these headers (all are equivalent):

| Header                   | Example                             |
| ------------------------ | ----------------------------------- |
| `x-spotlight-api-key`    | `x-spotlight-api-key: sk_live_...`  |
| `x-api-key`              | `x-api-key: sk_live_...`            |
| `spotlight-api-key`      | `spotlight-api-key: sk_live_...`    |
| `Authorization` (Bearer) | `Authorization: Bearer sk_live_...` |

<Tip>
  We recommend using `x-spotlight-api-key` as the canonical header name for clarity.
</Tip>

## Getting a key

1. Go to **Settings → API** in the Spotlight app.
2. Copy the key shown on the page.
3. Keep it secret — treat it like a password.

## Authentication errors

| Status | Message                     | Fix                                                                                      |
| ------ | --------------------------- | ---------------------------------------------------------------------------------------- |
| `401`  | `Missing Spotlight API key` | Add one of the headers above to your request.                                            |
| `401`  | `Invalid API key`           | The key was not found or has been revoked. Check the Settings page for your current key. |

## Rate limiting

API keys have a quota on the number of requests per minute, configurable per organization (default: 120 req/min). When the limit is exceeded the API returns `429 Too Many Requests`.

## Example

```bash theme={null}
curl -s \
  -H "x-spotlight-api-key: YOUR_API_KEY" \
  "https://app.get-spotlight.com/api/v1/brands"
```
