# Authentication



<section class="api-spec" id="api-section-authorization">
<div class="spec">
<div>

The Krenalis API uses API keys for authenticating requests. You can manage these keys through the Krenalis Admin console. The API keys utilize HTTP Bearer Authentication.

When accessing resources within a workspace, you can specify the workspace ID by passing the `Krenalis-Workspace` header.

### Restricted keys

API keys can be optionally restricted to a specific workspace during their creation. A **restricted key** can only be used within the assigned workspace. In this case, you do not need to include the `Krenalis-Workspace` header in your request.

</div>
<div>

  <div class="api-request-box">
    <div>Authenticated request</div>
    <div>
      <div>curl https://example.com/v1/connections \</div>
      <div>  -H "Authorization: Bearer &lt;YOUR_API_KEY&gt;"</div>
    </div>
  </div>

  <div class="api-request-box">
    <div>Authenticated request with explicit workspace ID</div>
    <div>
      <div>curl https://example.com/v1/connections \</div>
      <div>  -H "Authorization: Bearer &lt;YOUR_API_KEY&gt;"</div>
      <div>  -H "Krenalis-Workspace: &lt;WORKSPACE_ID&gt;"</div>
    </div>
  </div>

</div>
</div>
</section>

<section class="api-spec" id="api-section-authorization">
<div class="spec">
<div>

## Event write keys

To send events, it is **strongly recommended to use an event write key**, a limited credential designed specifically for event ingestion. It is tied to a single source connection, such as [SDKs](/docs/integrations#sdks) and [webhooks](/docs/integrations#webhooks), and provides access only to event ingestion endpoints:

* [Ingest events](/docs/api/events#ingest-events)
* [Ingest event](/docs/api/events#ingest-event)

### Browser and server usage

You can call event ingestion endpoints from server applications and from client apps (web and mobile). For browser-based requests, these endpoints support CORS. In most cases, the [JavaScript SDK](/docs/integrations/javascript-sdk) handles this automatically.

### Creating and managing event write keys

For SDK and webhook source connections, you can manage event write keys in the Krenalis Admin console or via the [Event write keys API](/docs/api/connections/event-write-keys).

</div>
<div>
  <div class="api-request-box">
  <div>Authenticated request with an event write key</div>
        <div>
          <div>curl https://example.com/v1/events \</div>
          <div>  -H "Authorization: Bearer &lt;YOUR_WRITE_KEY&gt;"</div>
        </div>
      </div>
  </div>
</div>
</section>

<section class="api-spec" id="api-section-organizations-key">
<div class="spec">
<div>

## Organizations API key

The [Organizations API](/docs/api/organizations) uses a dedicated key type — the **organizations API key** — instead of the standard API key. Unlike API keys and event write keys, which are created and managed by Krenalis itself, the organizations API key must be generated externally and supplied to the Krenalis installation via an environment variable. If the key is not provided, the Organizations API is disabled entirely.

The key is a string starting with `org_` followed by 43 random alphanumeric characters and must be passed as a Bearer token in the `Authorization` header. The following is an example of a shell command that uses the `python` command to generate a valid organizations API key:

```
python -c "import string, secrets; alphabet=string.ascii_letters+string.digits; print('org_'+''.join(secrets.choice(alphabet) for i in range(43)))"
```

</div>
<div>

  <div class="api-request-box">
    <div>Authenticated request with an organizations API key</div>
    <div>
      <div>curl https://example.com/v1/organizations \</div>
      <div>  -H "Authorization: Bearer &lt;YOUR_ORG_KEY&gt;"</div>
    </div>
  </div>

</div>
</div>
</section>