> ## Documentation Index
> Fetch the complete documentation index at: https://docs.usehone.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Hone ingestion is authenticated with a single header: x-api-key. Learn where to get a key, how to send it, and how to keep it safe.

Every request to the Hone ingestion API carries one header:

```http theme={null}
x-api-key: sk_1a2b3c...
```

That is the whole model. A valid key authorizes writes for the organization that owns it. There is no separate account id to route on and no token exchange to perform.

## Where keys come from

API keys are issued in the Hone dashboard under **Settings → API Keys**. Give each key a name that describes where it runs, for example `production` or `staging`, so you can revoke the right one later without guessing.

A key is a string that starts with `sk_` followed by a hexadecimal secret:

```
sk_9f3c0d7e5b2a41c88e6f0a1b2c3d4e5f...
```

Keys are scoped to your organization and do not expire on a timer. They stay valid until you delete them from the dashboard.

## Sending the key

The SDKs take the key at initialization and attach the header for you.

<CodeGroup>
  ```python Python theme={null}
  import honeai

  honeai.init("sk_your_key_here")
  ```

  ```typescript TypeScript theme={null}
  import { init } from "@hone/sdk";

  init("sk_your_key_here");
  ```

  ```bash curl theme={null}
  curl https://api.hone.dev/api/v1/capture-event \
    -H "x-api-key: sk_your_key_here" \
    -H "Content-Type: application/json" \
    -d '{ "event_id": "...", "session_id": "...", "primitive_name": "support-bot", "args": "hi", "result": "hello" }'
  ```
</CodeGroup>

## Endpoints

<CardGroup cols={2}>
  <Card title="Production" icon="globe">
    `https://api.hone.dev`
  </Card>

  <Card title="Local development" icon="laptop-code">
    `http://localhost:8080`
  </Card>
</CardGroup>

Point the SDK at a different base URL with the `endpoint` option when you need to (for example, a local stack):

<CodeGroup>
  ```python Python theme={null}
  honeai.init("sk_your_key_here", endpoint="http://localhost:8080")
  ```

  ```typescript TypeScript theme={null}
  init("sk_your_key_here", { endpoint: "http://localhost:8080" });
  ```
</CodeGroup>

## Keep keys out of source control

An `sk_` key is a write credential. Anyone holding it can push events into your organization.

<Warning>
  Never commit an API key to a repository, paste it into a ticket, or ship it in client-side code that reaches an end user's browser or device.
</Warning>

Sound practice:

* Load the key from an environment variable or a secrets manager, never a literal in code.
* Use separate keys per environment so you can revoke one without disturbing the others.
* Rotate a key by creating a new one, deploying it, then deleting the old one from **Settings → API Keys**.
* If a key is ever exposed, delete it immediately. Deletion takes effect for all future requests.

<CodeGroup>
  ```python Python theme={null}
  import os
  import honeai

  honeai.init(os.environ["HONE_API_KEY"])
  ```

  ```typescript TypeScript theme={null}
  import { init } from "@hone/sdk";

  init(process.env.HONE_API_KEY!);
  ```
</CodeGroup>
