> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anyreach.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Get an API credential and start calling the Anyreach API.

The Anyreach API accepts two kinds of bearer credential. Pass either one in the `Authorization` header — the platform validates it and resolves your organization and scopes server-side.

| Credential                      | Prefix | Created at                               | Organization                                      |
| ------------------------------- | ------ | ---------------------------------------- | ------------------------------------------------- |
| **Organization API key**        | `ak_`  | **API Keys** page (`/api-keys`)          | Carries its organization implicitly               |
| **Personal access token (PAT)** | `pat_` | **Account → Tokens** (`/account/tokens`) | Not org-bound — you must pass the org per request |

Use an **organization API key** for backend integrations that act on one organization. Use a **personal access token** for tooling that spans several of your organizations.

## Create a credential

<Tabs>
  <Tab title="Organization API key">
    1. Open **API Keys** from the sidebar.
    2. Click **New API key** and give it a descriptive name.
    3. Copy the full secret (`ak_<id>.<secret>`) — it is shown only once. Store it in your secret manager.
  </Tab>

  <Tab title="Personal access token">
    1. Open **Account → Tokens**.
    2. Click **New token**, name it, and optionally set an expiry.
    3. Copy the token value (`pat_...`) — it is shown only once.
  </Tab>
</Tabs>

## Use it

Pass the credential as a bearer token:

```bash theme={null}
curl https://api.anyreach.ai/core/agents \
  -H "Authorization: Bearer $ANYREACH_TOKEN"
```

Organization API keys carry their organization, so that is all you need. A **personal access token** is not bound to an organization — add the `X-Anyreach-Org` header to tell Anyreach which organization to act on:

```bash theme={null}
curl https://api.anyreach.ai/core/agents \
  -H "Authorization: Bearer $ANYREACH_PAT" \
  -H "X-Anyreach-Org: $ANYREACH_ORG_ID"
```

<Warning>
  If you call an org-scoped endpoint with a `pat_` token and no `X-Anyreach-Org` header, the request fails with `401` and the message *"Token is missing organization claim."* Retry with the header.
</Warning>

## Rotation

Tokens don't expire unless you set an expiry. Rotate them when:

* A teammate with access leaves
* A token may have been exposed in logs or version control
* Your security policy requires periodic rotation

Delete old credentials from the same page you created them on. Active calls using a deleted credential start failing with `401`.

## Scope and permissions

A credential can do whatever the issuing user (or organization role) can do, governed by **roles** and fine-grained **scopes**. See [Roles and permissions](/organizations/roles-and-permissions) for the full model. For automated integrations, issue the credential from a user with the minimum role required.

## Public endpoints

Some endpoints accept unauthenticated calls for browser or webhook embedding — for example [public workflow execution](/workflows/execution/public-execution) and the [public web-widget endpoints](/web-widgets/allowed-domains-and-security). Never send a `pat_` or `ak_` credential from a browser.
