All requests to the Syvel API are authenticated with an **API key**.

## Key format

API keys follow this exact format:

```
sv_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```

- Prefix: `sv_`
- Followed by **32 alphanumeric characters**
- Total length: **35 characters**

Example: `sv_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6`

## Sending your key

Pass the key in the `Authorization` header on every request:

```
Authorization: Bearer sv_your_api_key
```

```bash
curl "https://api.syvel.io/v1/check/user@example.com" \
  -H "Authorization: Bearer sv_your_api_key"
```

## Key visibility

:::caution[Copy your key immediately]
Your API key is displayed **only once**, at the moment of creation. It cannot be retrieved afterwards. If you lose it, delete it from the dashboard and create a new one.
:::

## Creating a key

In the [dashboard](https://dashboard.syvel.io), under the **API Keys** section:

1. Click **New key**
2. Give it a name (e.g. `"Production"`, `"Staging"`)
3. Copy the displayed key immediately

## Origin restriction (CORS)

Each key can be restricted to one or more allowed origins. When an origin is set, requests from any other `Origin` header are rejected with a `403`.

This is useful for browser-side integrations to prevent your key from being used from third-party domains.

Configure allowed origins per key in the dashboard, under **API Keys → Edit**.

:::note
Origin restriction applies to browser requests only (where the `Origin` header is sent automatically). Server-side requests (cURL, Node.js, Python, etc.) are not affected.
:::