# Authentication (https://eulabel.eu/docs/documentation/get-started/authentication) > Fetch the complete documentation index at: https://eulabel.eu/docs/llms.txt > Use this file to discover all available pages before exploring further. > Full content: https://eulabel.eu/docs/llms-full.txt > Append .md to any page URL for markdown, or send Accept: text/markdown. The EUlabel API supports two authentication methods depending on your use case. At a glance [#at-a-glance] * **Server-to-server integrations**: use an **API key** (Bearer token). * **Dashboard usage**: use a **session cookie** (WorkOS-backed). * **Rule of thumb**: never put secrets in the browser. - [API key (Bearer token)](#api-key-bearer-token) — CI/CD, PIM sync, backend services — fastest and simplest for integrations - [Session cookie](#session-cookie) — For logged-in dashboard usage — not recommended for service integrations > **Error** > Never expose API keys in client-side code, public repositories, or browser JavaScript. API keys grant full access to your organization's data and should only be used in server-side code. API Key (Bearer Token) [#api-key-bearer-token] For machine-to-machine integrations, scripts, and CI pipelines. Include your API key in the `Authorization` header: ### CURL ```bash export EULABEL_API_KEY="sk_test_..." curl https://api.eulabel.eu/v1/products \ -H "Authorization: Bearer $EULABEL_API_KEY" ``` ### JavaScript ```javascript const EULABEL_API_KEY = process.env.EULABEL_API_KEY; const response = await fetch('https://api.eulabel.eu/v1/products', { headers: { 'Authorization': `Bearer ${EULABEL_API_KEY}` }, }); ``` ### Python ```python import requests EULABEL_API_KEY = "sk_test_..." response = requests.get( "https://api.eulabel.eu/v1/products", headers={"Authorization": f"Bearer {EULABEL_API_KEY}"}, ) ``` API keys are scoped to a specific organization and can be restricted to specific permissions. | Property | Description | | --------- | ------------------------------------------------------------- | | Format | `sk_live_` prefix (production) or `sk_test_` prefix (sandbox) | | Scope | Per organization, per environment | | Use cases | PIM webhook delivery, bulk data sync, CI/CD pipelines | Session Cookie [#session-cookie] For browser-based access through the EUlabel Dashboard: | Property | Description | | --------- | ----------------------------------------------------------------- | | Provider | WorkOS AuthKit (SAML, OIDC, Google, Microsoft) | | Session | `iron-session` cookie (`eulabel_session`) scoped to `.eulabel.eu` | | Use cases | Dashboard access, API key management, organization switching | API key management endpoints (`/v1/auth/api-keys`) require session authentication -- they cannot be called with an API key alone. This prevents key escalation attacks. Permissions (Scopes) [#permissions-scopes] Every API key is assigned one or more permission scopes that control what resources it can access. | Scope | Grants | | ----------------- | ------------------------------------------ | | `products:read` | List and get products, passports, QR codes | | `products:write` | Create products | | `passports:read` | Read passport data | | `passports:write` | Create and publish passports | | `suppliers:read` | List suppliers | | `suppliers:write` | Create suppliers | | `analytics:read` | View scan analytics | | `api_keys:manage` | Manage API keys (session only) | Error responses [#error-responses] | Status | Meaning | | ------ | ------------------------------------------------------------ | | 401 | Missing or invalid API key | | 403 | Valid API key but insufficient permissions for this endpoint | Next steps [#next-steps] - [API Keys](https://eulabel.eu/docs/documentation/get-started/api-keys) — Create, rotate, and revoke keys safely - [Sandbox](https://eulabel.eu/docs/documentation/get-started/sandbox) — Test with pre-populated data using sk_test_... - [Quickstart](https://eulabel.eu/docs/documentation/get-started/quickstart) — Create a product, publish a passport, and download a QR code