> ## Documentation Index
> Fetch the complete documentation index at: https://technologychecker.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate API requests with Bearer tokens. Get your API key from the dashboard, use live keys for production and test keys for development. Code examples in cURL, Python, and JavaScript.

All API endpoints require authentication via an API key passed as a <Tooltip tip="A token-based authentication scheme where the API key is sent in the Authorization header as 'Bearer your_api_key'. No session or cookies needed.">Bearer token</Tooltip> in the `Authorization` header.

```bash theme={null}
Authorization: Bearer tapi_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```

## Prerequisites

* A TechnologyChecker account ([sign up free](https://app.technologychecker.io/auth/sign-up))
* Access to the **Settings** > **Developers** section in the [dashboard](https://app.technologychecker.io)

## Key formats

| Type | Prefix       | Use case                                        |
| ---- | ------------ | ----------------------------------------------- |
| Live | `tapi_live_` | Production requests that consume credits        |
| Test | `tapi_test_` | Development and testing (limited functionality) |

## How to get your API key

<Steps>
  <Step title="Sign in">
    Go to [app.technologychecker.io](https://app.technologychecker.io) and sign in to your account.
  </Step>

  <Step title="Navigate to developers">
    Go to **Settings** > **Developers**.
  </Step>

  <Step title="Create your key">
    Click **Create API key** and copy the key — it is only shown once.
  </Step>
</Steps>

Each organization gets a single API key with encrypted storage. Usage is tracked via credits (limit, used, remaining) with a monthly reset date.

<Warning>
  Keep your API key secret. Don't expose it in client-side code, public repositories, or logs. If it's compromised, revoke it immediately and generate a new one.
</Warning>

## Example request

<CodeGroup>
  ```bash cURL theme={null}
  curl -H "Authorization: Bearer tapi_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
    https://api.technologychecker.io/v1/domain/shopify.com
  ```

  ```python Python theme={null}
  import requests

  headers = {"Authorization": "Bearer tapi_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"}
  response = requests.get(
      "https://api.technologychecker.io/v1/domain/shopify.com",
      headers=headers,
  )
  data = response.json()
  ```

  ```javascript JavaScript theme={null}
  const response = await fetch(
    "https://api.technologychecker.io/v1/domain/shopify.com",
    {
      headers: {
        Authorization: "Bearer tapi_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
      },
    }
  );
  const data = await response.json();
  ```
</CodeGroup>

<Note>
  All `/v1/*` endpoints require authentication. Account endpoints like `/v1/usage` and `/v1/credits` do not consume credits.
</Note>

## Related pages

<CardGroup cols={2}>
  <Card title="Rate limits" icon="gauge-high" href="/api-reference/rate-limits">
    Request limits by plan and retry strategies.
  </Card>

  <Card title="Credits" icon="coins" href="/api-reference/credits">
    Credit costs per endpoint and plan details.
  </Card>

  <Card title="Errors" icon="triangle-exclamation" href="/api-reference/errors">
    Error codes, response format, and retry logic.
  </Card>

  <Card title="API reference" icon="square-terminal" href="/api-reference/introduction">
    Explore all endpoints with interactive examples.
  </Card>
</CardGroup>

## Frequently asked questions

<AccordionGroup>
  <Accordion title="How do I keep my API key secure?">
    Don't expose your API key in client-side code, public repositories, or logs. Store it in environment variables or a secrets manager. If your key gets compromised, revoke it immediately from **Settings** > **Developers** and generate a new one.
  </Accordion>

  <Accordion title="Can I have multiple API keys?">
    Each organization gets a single API key with encrypted storage. Usage is tracked via credits with a monthly reset date. All team members in your organization share the same key.
  </Accordion>

  <Accordion title="What happens if my API key is invalid?">
    The API returns HTTP `401` with error code `UNAUTHORIZED` and the message "Missing or invalid API key." Verify your `Authorization` header uses the format `Bearer YOUR_API_KEY`. See [errors](/api-reference/errors) for all error codes.
  </Accordion>

  <Accordion title="What's the difference between live and test API keys?">
    Live keys (prefixed `tapi_live_`) make production requests that consume credits from your plan balance. Test keys (prefixed `tapi_test_`) are for development and testing with limited functionality — they won't charge credits. Use test keys while building your integration, then switch to live keys when you're ready for production.
  </Accordion>

  <Accordion title="Do TechnologyChecker API keys expire?">
    No. API keys remain valid until you manually revoke them. There's no automatic expiration or forced rotation schedule. If you suspect your key has been compromised, revoke it from **Settings** > **Developers** and create a new one immediately.
  </Accordion>

  <Accordion title="How do I rotate or revoke my API key?">
    Go to **Settings** > **Developers** in your [dashboard](https://app.technologychecker.io), revoke the current key, and create a new one. Update the key in all your applications before revoking — the old key stops working instantly. There's no grace period.
  </Accordion>

  <Accordion title="Can I pass the API key as a query parameter instead of a header?">
    No. TechnologyChecker only accepts API keys via the `Authorization: Bearer YOUR_API_KEY` header. Query parameter authentication isn't supported because it exposes keys in server logs, browser history, and referrer headers. Header-based auth is the industry standard for REST APIs.
  </Accordion>
</AccordionGroup>
