> ## Documentation Index
> Fetch the complete documentation index at: https://developer.lexful.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate requests to the Lexful API.

All Lexful API requests must be authenticated. Requests without valid credentials are rejected.

Lexful uses:

* An account identifier in the `X-Account-ID` header.
* A short-lived Bearer token in the `Authorization` header.

## Authentication flow

Most integrations follow the same basic steps: obtain a token, then use it on subsequent requests.

<Steps>
  <Step title="Request a Bearer token">
    Call the auth endpoint with your API key ID and secret:

    ```bash theme={null}
    curl --location 'https://api.us.lexful.app/v1/auth/token' \
      --header 'X-Account-Id: {YOUR_ACCOUNT_ID}' \
      --header 'Content-Type: application/json' \
      --data '{
        "id": "{YOUR_API_KEY_ID}",
        "secret": "{YOUR_API_KEY_SECRET}"
      }'
    ```

    The response includes a token that is valid for 60 minutes. Treat this as sensitive and do not log or hard-code it.
  </Step>

  <Step title="Call APIs with the token">
    Include the token and your account ID on API requests:

    ```bash theme={null}
    curl --location 'https://api.us.lexful.app/v1/organizations' \
      --header 'X-Account-ID: {YOUR_ACCOUNT_ID}' \
      --header 'Authorization: Bearer {TOKEN}'
    ```
  </Step>

  <Step title="Handle common errors">
    If a request fails with an authentication-related error, check for:

    <ul>
      <li>Missing or incorrect <code>X-Account-ID</code>.</li>
      <li>Expired or malformed Bearer token.</li>
      <li>Using credentials from the wrong environment.</li>
    </ul>

    Inspect the HTTP status code and error body, then verify your headers and credentials.
  </Step>
</Steps>
