> ## Documentation Index > Fetch the complete documentation index at: https://docs.prefetch.io/llms.txt > Use this file to discover all available pages before exploring further. # Authentication > How to authenticate requests to the Prefetch API using API keys. ## API keys All Prefetch API endpoints (except `/health` and `/ready`) require an API key. Pass your key in the `X-API-Key` request header: ```bash theme={null} curl "https://api.prefetch.io/classify?url=https://example.com" \ -H "X-API-Key: your_api_key_here" ``` Get your API key from the [dashboard](https://dashboard.prefetch.io). ## Key validation Every request validates your API key against the following checks, in order: 1. **Present** — key must be included in the header 2. **Not revoked** — key has not been manually revoked 3. **Not expired** — key has not passed its expiry date 4. **Within credit limit** — key has not exceeded its configured credit limit A missing `X-API-Key` header returns `401 Unauthorized`. All other failures (invalid, revoked, expired, or over-limit key) return `403 Forbidden`. Never expose your API key in client-side JavaScript. Proxy requests through your own backend instead. ## Key security best practices * Rotate keys regularly from the dashboard * Use separate keys for development and production * Set a credit limit on each key to prevent unexpected overages * Revoke compromised keys immediately from the dashboard ## Error responses | Status | Error message | Cause | | ------ | ---------------------------- | ---------------------------------- | | `401` | `"Missing API key"` | No `X-API-Key` header provided | | `403` | `"Invalid API key"` | Key not found in the system | | `403` | `"API key has been revoked"` | Key was manually revoked | | `403` | `"API key has expired"` | Key passed its expiry date | | `403` | `"Credit limit exceeded"` | Key used all its allocated credits |