> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ndi.nace.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys and the X-API-Key header

Every request is authenticated with an API key sent in the `X-API-Key` header:

```bash theme={"dark"}
curl -s https://ndi-api.nace.ai/api/v1/jobs \
  -H "X-API-Key: ndi_sk_..."
```

Keys start with the prefix `ndi_sk_`. They are issued by your Nace representative and are scoped to your organization (tenant): every job, uploaded file, and result belongs to the tenant whose key created it, and is invisible to every other tenant.

## Handling your key

<Warning>
  Treat the key like a password. Anyone holding it can start jobs, read your job history, and download your results.
</Warning>

* Store it in a secret manager or environment variable — never in source control, client-side code, or logs.
* Use one key per environment / integration so a leak can be revoked without breaking everything else.
* If a key is exposed, contact us immediately — revocation takes effect within minutes across all servers.

## Failure modes

| Situation                      | Response                                 |
| ------------------------------ | ---------------------------------------- |
| Header missing or malformed    | `401` with `error.code = "unauthorized"` |
| Key unknown or revoked         | `401` with `error.code = "unauthorized"` |
| Key valid but account disabled | `401` with `error.code = "unauthorized"` |

The response never distinguishes *why* a key was rejected — that is deliberate.

All error responses share one envelope; see [Errors & limits](/concepts/errors).
