> ## Documentation Index
> Fetch the complete documentation index at: https://docs.impulselabs.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate API requests with an Impulse Labs API key

All requests to the Inference API must include a valid API key in the `Authorization` header.

## API key format

Impulse Labs API keys start with `imp_` followed by 64 hex characters:

```
imp_a1b2c3d4e5f6...  (68 characters total)
```

## Sending your key

Pass the key as a **Bearer token** in the `Authorization` header on every request:

```bash theme={null}
curl https://inference.impulselabs.ai/infer \
  -H "Authorization: Bearer imp_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{ ... }'
```

<Warning>
  Never include your API key in client-side code, URLs, or version control. Use environment variables or a secrets manager.
</Warning>

## Creating an API key

<Steps>
  <Step title="Open the dashboard">
    Go to [app.impulselabs.ai](https://app.impulselabs.ai) and sign in.
  </Step>

  <Step title="Navigate to API Keys">
    Click your avatar → **Settings** → **API Keys**.
  </Step>

  <Step title="Create a key">
    Click **New API Key**, enter a descriptive name (e.g. `production`, `ci-pipeline`), and click **Create**.
  </Step>

  <Step title="Copy and store the key">
    The raw key is shown **only once**. Copy it and store it in a secure location such as your hosting provider's secret store or a `.env` file that is not committed to version control.
  </Step>
</Steps>

<Note>
  API keys require a **Pro, Team, or Enterprise** plan. If you see a `403 Upgrade required` response, visit [app.impulselabs.ai/billing](https://app.impulselabs.ai/billing).
</Note>

## Revoking a key

You can revoke a key at any time from the **Settings → API Keys** page in the dashboard, or via the [Revoke API Key](/api-reference/api-keys/revoke) endpoint. Revoked keys are rejected immediately with a `401` response.

## Key security best practices

* Rotate keys regularly and revoke any you no longer use.
* Create separate keys for each application or environment.
* Never log the raw key — use the `key_prefix` (first 8 characters) for identifying which key was used in logs.
* Set up monitoring on your usage metrics in the dashboard to detect unexpected spikes.
