# API Keys

API keys are the simplest way to authenticate server-to-server calls.

## Creating and managing keys

Keys are issued and revoked from the LedgerBee app under **Marketplace → API
Keys**. A key is shown **once** at creation — store it securely; it cannot be
retrieved again.

## Using a key

Send it in the `x-api-key` request header:

```bash
curl https://api.ledgerbee.com/api/v1/company \
  -H "x-api-key: YOUR_API_KEY"
```

## Scopes

Each key carries a set of scopes that gate which endpoints it can reach. Request
the narrowest set your integration needs. Inspect a key's own scopes, IP
allowlist, and expiry with `GET /v1/api-key`, authenticated with the key
itself.

## Expiry

A key can carry an expiry date. When it does, every response authenticated
with that key includes an `X-API-Key-Expires-At` header (ISO 8601) — watch it
and rotate before the date. Rate limiting is covered in
**[Rate limits](/guides/rate-limits)**.

## Rotation

Rotate keys periodically and on suspected exposure: create a new key, migrate
your integration, then revoke the old one. Revocation takes effect immediately
(the key-validation cache is invalidated when a key is revoked).

> Prefer **[OAuth2 client credentials](/guides/authentication)** when you want
> short-lived tokens instead of a long-lived secret.