> ## Documentation Index
> Fetch the complete documentation index at: https://developers.lightyshare.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Learn how to authenticate with the Lightyshare API

API keys are used to authenticate requests to the Lightyshare API. Each key is tied to a specific user account and inherits the permissions of that user.

## Creating an API Key

<Steps>
  <Step title="Access your dashboard">
    Log in to your [Lightyshare owner dashboard](https://lightyshare.com/shop)
  </Step>

  <Step title="Navigate to API settings">
    Go to **Shop** → **API**
  </Step>

  <Step title="Generate a new token">
    Click **"Create New Token"** and provide a descriptive name
  </Step>

  <Step title="Copy your token">
    Copy the generated token immediately - it won't be shown again!
  </Step>
</Steps>

<Warning>
  **Important**: Store your API key securely. Treat it like a password - never commit it to version control or share it publicly.
</Warning>

## Using Your API Key

There are two ways to include your API key in requests:

### Method 1: Authorization Header (Recommended)

Include your token in the `Authorization` header using the Bearer scheme:

```bash theme={null}
curl -X GET https://lightyshare.com/api/token-secured/product/123 \
  -H "Authorization: Bearer lsh_live_abc123xyz..."
```

### Method 2: Query Parameter

For backward compatibility, you can also pass the token as a query parameter:

```bash theme={null}
curl -X GET https://lightyshare.com/api/token-secured/product/123?token=lsh_live_abc123xyz...
```

<Note>
  We recommend using the Authorization header method as it's more secure and follows industry standards.
</Note>

## Token Format

Lightyshare API tokens follow a consistent format:

```
lsh_[environment]_[unique_identifier]
```

* **lsh**: Prefix identifying a Lightyshare token
* **environment**: Either `live` for production or `test` for testing
* **unique\_identifier**: A unique string for your token

Example: `lsh_live_sk_1234567890abcdef`

## Token Permissions

API tokens inherit the permissions of the user account that created them:

* **Read Access**: View products, bundles, and rentals
* **Write Access**: Create and update products and bundles
* **Delete Access**: Remove products (if user has permission)

## Best Practices

<CardGroup cols={2}>
  <Card title="Use Environment Variables" icon="shield">
    Store tokens in environment variables, not in code

    ```bash theme={null}
    export LIGHTYSHARE_API_KEY="lsh_live_..."
    ```
  </Card>

  <Card title="Rotate Regularly" icon="arrows-rotate">
    Rotate your API keys periodically for enhanced security
  </Card>

  <Card title="Limit Scope" icon="lock">
    Create separate tokens for different applications or environments
  </Card>

  <Card title="Monitor Usage" icon="chart-line">
    Track API key usage in your dashboard to detect anomalies
  </Card>
</CardGroup>

## Revoking API Keys

If a token is compromised or no longer needed:

1. Go to your [API settings](https://lightyshare.com/shop/api)
2. Find the token in your list
3. Click **"Revoke"** next to the token
4. The token will be immediately invalidated

## Environment-Specific Tokens

Lightyshare provides different token types for different environments:

| Environment | Token Prefix | Use Case                |
| ----------- | ------------ | ----------------------- |
| Production  | `lsh_live_`  | Live production data    |
| Testing     | `lsh_test_`  | Testing and development |

<Tip>
  Always use test tokens during development to avoid affecting production data.
</Tip>

## Troubleshooting

### Common Authentication Errors

```json theme={null}
{
  "error": "Invalid or missing token",
  "code": "AUTH_INVALID_TOKEN"
}
```

**Solutions:**

* Verify your token is correct and complete
* Check you're using the right environment (live vs test)
* Ensure the token hasn't been revoked
