> ## Documentation Index
> Fetch the complete documentation index at: https://docs.shiftsheet.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to securely authenticate with the Shiftsheet API

To access the Shiftsheet public API, you must authenticate your requests using an API Key.

API Keys carry the same privileges as your Company Admin account, so they should be kept secure. Never expose your API keys in client-side code, public repositories, or frontend applications.

## Obtaining an API Key

1. Log in to your Shiftsheet Dashboard as a **Company Admin**.
2. Navigate to **Settings > Integrations & API**.
3. Under the **API Keys** tab, click **Generate Key**.
4. Provide a descriptive name for the key (e.g., "Zapier Integration").
5. Copy the generated key. **This is the only time the full key will be shown to you.**

If you lose a key, you must revoke it and generate a new one.

## Making Authenticated Requests

The Shiftsheet API uses standard HTTP `Authorization` headers. You must pass your API key as a Bearer token in every request.

```bash cURL theme={null}
curl --request GET \
  --url https://api.shiftsheet.com/api/v1/timesheets \
  --header 'Authorization: Bearer ss_live_your_api_key_here'
```

```javascript Node.js theme={null}
const response = await fetch('https://api.shiftsheet.com/api/v1/timesheets', {
  headers: {
    'Authorization': 'Bearer ss_live_your_api_key_here',
    'Content-Type': 'application/json'
  }
});
const data = await response.json();
```

## Error Codes

If authentication fails, the API will return one of the following standard HTTP status codes:

<ResponseField name="401 Unauthorized" type="Error">
  The API key is missing, invalid, or was not formatted as a Bearer token.
</ResponseField>

<ResponseField name="403 Forbidden" type="Error">
  The API key is valid, but it has been revoked or the account no longer has permissions to perform the requested action.
</ResponseField>
