> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dolfinai.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Dolfin API

## API Key Authentication

All API requests are authenticated using the `x-dolfin-api-key` header. Your API key is distributed when your organisation is onboarded to the Dolfin platform.

```bash theme={null}
curl -X GET https://api.dolfinai.co/invoices \
  -H "x-dolfin-api-key: your-api-key" \
  -H "x-dolfin-organisation-id: your-org-id"
```

### Required Headers

| Header                     | Description                              | Required                              |
| -------------------------- | ---------------------------------------- | ------------------------------------- |
| `x-dolfin-api-key`         | Your API key                             | Yes (for all authenticated endpoints) |
| `x-dolfin-organisation-id` | The organisation ID to scope requests to | Yes (for most endpoints)              |

<Note>
  Some endpoints like creating organisations and creating users are exempt from the `x-dolfin-organisation-id` header requirement, as they operate across organisations.
</Note>

## Bearer Token Authentication

End users (e.g. SMB users provisioned by your platform) authenticate using Bearer JWTs. These tokens are obtained by exchanging a short-lived auth code via the `POST /auth/exchange` endpoint.

```bash theme={null}
curl -X GET https://api.dolfinai.co/invoices \
  -H "Authorization: Bearer eyJ..." \
  -H "x-dolfin-organisation-id: your-org-id"
```

Bearer tokens are valid for **8 hours** and contain the user's organisation memberships and roles as claims.

<Card title="Client integration guide" icon="rocket" href="/guides/client-integration">
  See the full flow for provisioning users and generating bearer tokens.
</Card>
