> ## Documentation Index
> Fetch the complete documentation index at: https://dev-docs.nestapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Every request is authenticated with an API key sent as a Bearer token.

NestAPI uses **API keys**. Every request must include your key in the `Authorization`
header as a Bearer token:

```http theme={null}
Authorization: Bearer YOUR_API_KEY
```

## Getting a key

You can obtain keys in two ways:

* **Dashboard** — create and manage keys from your NestAPI account.
* **API** — if you hold an Admin-class key, manage keys programmatically via the
  [account endpoints](/account/api-keys).

<Card title="Sign up for a trial" icon="rocket" href="https://api.nestapi.com/trial">
  New to NestAPI? Start a trial to get a key.
</Card>

## Making an authenticated request

<CodeGroup>
  ```bash cURL theme={null}
  curl https://dev.api.nestapi.com/auth/validate \
    -H "Authorization: Bearer YOUR_API_KEY"
  ```

  ```javascript Node theme={null}
  const res = await fetch("https://dev.api.nestapi.com/auth/validate", {
    headers: { Authorization: `Bearer ${process.env.NESTAPI_KEY}` },
  });
  console.log(await res.json());
  ```

  ```csharp C# theme={null}
  using var http = new HttpClient();
  http.DefaultRequestHeaders.Authorization =
      new AuthenticationHeaderValue("Bearer", apiKey);
  var res = await http.GetAsync("https://dev.api.nestapi.com/auth/validate");
  ```
</CodeGroup>

`GET /auth/validate` confirms the key is active and returns basic identity info
(`Valid`, `UserId`) — a quick way to check a key works.

## Verifying a key

Two account endpoints help you check a key's state:

| Endpoint                 | Purpose                                                              |
| ------------------------ | -------------------------------------------------------------------- |
| `GET /auth/validate`     | Confirms the key is active and returns basic identity info.          |
| `GET /apiKey/validUntil` | Returns the key's expiry date (or `31/12/9999` if it never expires). |

## Key classes

| Class     | Can do                                                                         |
| --------- | ------------------------------------------------------------------------------ |
| **Usage** | Submit nesting and importer requests. The default.                             |
| **Admin** | Everything a Usage key can, plus manage browser origins and fairness settings. |

## Security

<Warning>
  Treat API keys like passwords. Never embed them in client-side code or commit them to
  source control. For browser-based apps, restrict a key to specific origins with the
  [allowed-origins endpoints](/account/api-keys) and keep long-lived keys server-side.
</Warning>

* Rotate keys periodically, and set an expiry for time-boxed integrations.
* Disable a compromised key immediately.

Key creation, rotation, and disabling are done from your NestAPI **dashboard** — see
[API keys](/account/api-keys).
