> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anyreach.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authorize your API requests with an API key or personal access token.

The Anyreach API accepts two bearer credentials: **organization API keys** (`ak_`, created on the **API Keys** page) and **personal access tokens** (`pat_`, created under **Account → Tokens**). See the [Authentication guide](/getting-started/authentication) for the full walkthrough and the differences between them.

Pass the credential in the `Authorization` header on every request:

```bash theme={null}
curl https://api.anyreach.ai/core/agents \
  -H "Authorization: Bearer $ANYREACH_TOKEN"
```

<Note>
  Copy your credential when you create it — it's shown only once. Store it in a secret manager, never in source control.
</Note>

## Working across organizations

An organization API key (`ak_`) carries its organization implicitly. A personal access token (`pat_`) does not — set the target organization with the `X-Anyreach-Org` header:

```bash theme={null}
curl https://api.anyreach.ai/core/agents \
  -H "Authorization: Bearer $ANYREACH_PAT" \
  -H "X-Anyreach-Org: $ANYREACH_ORG_ID"
```

## Access and permissions

A credential can do whatever the issuing user or organization role can do, governed by [roles and scopes](/organizations/roles-and-permissions). Some endpoints return a reduced set of fields to lower-privileged credentials — for example, conversation transcripts and recordings require `conversations:read_sensitive` (see [Permissions and data access](/conversations/permissions-and-data-access)).

## Failed authentication

| Status | Meaning                                                                                               |
| ------ | ----------------------------------------------------------------------------------------------------- |
| `401`  | The credential is missing or invalid, or a `pat_` token was sent without the `X-Anyreach-Org` header. |
| `403`  | The credential is valid but its scopes don't grant access to the action.                              |
