> ## Documentation Index
> Fetch the complete documentation index at: https://pentest-tools.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate your API requests to Pentest-Tools.com

## Overview

The API uses Bearer token authentication. Include your API key in the `Authorization` header of every request.

<Info>
  API access requires a plan that includes it. If you receive a 403 "Your plan does not have API access" error, check your subscription.
</Info>

## Getting your API key

<Steps>
  <Step title="Log in">
    Access your Pentest-Tools.com account.
  </Step>

  <Step title="Go to API settings">
    Navigate to **My account > API**.
  </Step>

  <Step title="Create a key">
    Click **Create API Key**, give it a name, and optionally set an expiration date.
  </Step>

  <Step title="Copy and store">
    Copy your key immediately. It won't be shown again.
  </Step>
</Steps>

## Using the API key

Include the key in the `Authorization` header with the `Bearer` prefix:

```text theme={null}
Authorization: Bearer YOUR_API_KEY
```

### Example request

```python theme={null}
import requests

API_KEY = "YOUR_API_KEY"
API_URL = "https://app.pentest-tools.com/api/v2"

response = requests.get(
    f"{API_URL}/targets",
    headers={"Authorization": f"Bearer {API_KEY}"}
)

print(response.json())
```

## API key security

<Warning>
  Treat your API key like a password. Never commit it to version control or expose it in client-side code.
</Warning>

### Best practices

| Practice              | Description                                      |
| --------------------- | ------------------------------------------------ |
| Environment Variables | Store keys in environment variables, not in code |
| Rotation              | Rotate keys periodically                         |
| Expiration            | Set expiration dates on keys                     |
| Naming                | Use descriptive names to identify key purpose    |
| Monitoring            | Check "Last used" date in My account > API       |

### Managing keys

From **My account > API** you can:

* Create multiple keys for different purposes (CI/CD, scripts, integrations)
* View when each key was last used
* Set expiration dates (1-365 days, or never)
* Revoke compromised keys immediately

## Authentication errors

| Code | Message                            | Solution                                              |
| ---- | ---------------------------------- | ----------------------------------------------------- |
| 401  | Unauthorized                       | API key is missing or invalid                         |
| 403  | Your plan does not have API access | Upgrade to a plan with API access                     |
| 403  | Forbidden                          | Valid key but insufficient permissions for the action |

## Related topics

* [API overview](/api-reference)
* [API examples](/api-reference/examples)
* [Limits and errors](/api-reference/limits-and-errors)
