> ## Documentation Index
> Fetch the complete documentation index at: https://docs.traversal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Create and manage API keys to authenticate with the Traversal API.

The Traversal API is available to all users. Authenticate your requests with an API key, which you can create yourself from the Traversal web app.

## Create an API key

<Steps>
  <Step title="Open API key settings">
    Go to **[Settings > API Keys](https://app.traversal.com/settings/api-keys)** in the Traversal web app.
  </Step>

  <Step title="Create a new key">
    Click **Add API Key**, give it a descriptive name (e.g., `ci-pipeline` or `local-dev`), and confirm.
  </Step>

  <Step title="Copy and store the key">
    Traversal displays the key in a modal. **This is your only chance to copy it** — once you dismiss the modal, the key cannot be retrieved again.

    Store it in a secure secret manager (1Password, AWS Secrets Manager, Vault, etc.) before closing the dialog.
  </Step>
</Steps>

<Warning>
  API keys are shown **once**. If you lose a key, you'll need to create a new one and revoke the old.
</Warning>

## Use the key

Send the key as a bearer token in the `Authorization` header:

```http theme={null}
Authorization: Bearer trv_ak_your_api_key_here
```

Each key is bound to the user who created it and their organization. The user must have at least the `MEMBER` role — see [Roles and permissions](/get-started/authentication#roles-and-permissions).

| Condition                                                     | Response           |
| ------------------------------------------------------------- | ------------------ |
| Missing, invalid, or revoked token                            | `401 Unauthorized` |
| V1 API not enabled for the organization, or insufficient role | `403 Forbidden`    |

## Key hygiene

* **Name keys descriptively** so you can identify which system uses them.
* **Use separate keys per environment or service** (e.g., one for CI, one for a local script). This limits blast radius and makes revocation surgical.
* **Rotate regularly** and whenever someone with access leaves the team.
* **Never commit keys to source control.** Use environment variables or a secret manager.

## Revoke a key

If a key is lost, leaked, or no longer needed, revoke it from **[Settings > API Keys](https://app.traversal.com/settings/api-keys)**. Revocation takes effect immediately — subsequent requests using the key return `401 Unauthorized`.