> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lumenfall.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate with the Lumenfall API

All requests to the Lumenfall API require authentication using an API key.

## Getting your API key

1. Sign in to your [Lumenfall dashboard](https://lumenfall.ai/app)
2. Navigate to **API Keys**
3. Click **Create API Key**
4. Copy and securely store your key

<Warning>
  API keys are only shown once when created. Store your key securely - you won't be able to view it again.
</Warning>

## Using your API key

Include your API key in the `Authorization` header of every request:

```bash theme={null}
Authorization: Bearer lmnfl_abc123.xyz789
```

### Example request

```bash theme={null}
curl https://api.lumenfall.ai/openai/v1/models \
  -H "Authorization: Bearer $LUMENFALL_API_KEY"
```

### With OpenAI SDK

Since Lumenfall is OpenAI-compatible, configure the SDK with your Lumenfall key:

<CodeGroup>
  ```python Python theme={null}
  from openai import OpenAI

  client = OpenAI(
      api_key="lmnfl_abc123.xyz789",
      base_url="https://api.lumenfall.ai/openai/v1"
  )
  ```

  ```typescript TypeScript theme={null}
  import OpenAI from "openai";

  const client = new OpenAI({
    apiKey: "lmnfl_abc123.xyz789",
    baseURL: "https://api.lumenfall.ai/openai/v1",
  });
  ```
</CodeGroup>

## Managing API keys

From your dashboard, you can:

* **Create** new API keys with unique titles
* **Revoke** keys that are no longer needed or may be compromised
* **Delete** revoked keys to keep your dashboard clean
* **View usage** per key to track which applications are consuming your quota

## Security best practices

<AccordionGroup>
  <Accordion title="Never commit API keys to version control">
    Use environment variables or secret management tools instead of hardcoding keys in your code.

    ```bash theme={null}
    # .env file (add to .gitignore)
    LUMENFALL_API_KEY=lmnfl_abc123.xyz789
    ```
  </Accordion>

  <Accordion title="Never expose API keys in client-side code">
    API keys should never be included in browser JavaScript, mobile apps, or any code that runs on user devices. Client-side code can be inspected, and exposed keys can be stolen and abused.

    Instead, proxy requests through your own backend server to keep your API key secure. Alternatively, you can create a separate API key for each of your users so that you can limit their use.
  </Accordion>

  <Accordion title="Use separate keys for different environments">
    Create distinct API keys for development, staging, and production. This makes it easier to rotate keys and track usage.
  </Accordion>

  <Accordion title="Rotate keys periodically">
    Regularly rotate your API keys, especially for production environments. Revoke old keys after confirming the new ones work.
  </Accordion>

  <Accordion title="Revoke compromised keys immediately">
    If you suspect a key has been exposed, revoke it immediately from your dashboard and create a new one.
  </Accordion>
</AccordionGroup>