> ## Documentation Index
> Fetch the complete documentation index at: https://docs.engramme.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Engramme API

## API Key Authentication

Engramme uses API key authentication for the public memory API. Include your key in the `x-api-key` header on every authenticated request.

```bash theme={null}
curl -X POST https://memorymachines-gateway-prod-btf57kda.uc.gateway.dev/v1/memorize \
  -H "x-api-key: $ENGRAMME_API_KEY" \
  -F "file=@document.txt" \
  -F "user_name=Jane Doe" \
  -F "source_type=text"
```

<Warning>
  **Keep your API key secure.** Treat it like a password. Don't commit it to version control or expose it in client-side code.
</Warning>

## Getting an API Key

Create and manage API keys in [app.engramme.com](https://app.engramme.com).

<Steps>
  <Step title="Sign in">
    Sign in to the Engramme app with Google.
  </Step>

  <Step title="Open API key management">
    Create a key with a name and billing account. New keys are shown once, so copy the value before closing the dialog.
  </Step>

  <Step title="Choose source access">
    Select **All Sources** for broad access, or **Specific Sources** to restrict the key to selected source types.
  </Step>

  <Step title="Use the key">
    Store the key in an environment variable, such as `ENGRAMME_API_KEY`, and send it with the `x-api-key` header.
  </Step>
</Steps>

## Header Format

Authenticated API requests require the `x-api-key` header:

| Header      | Value        |
| ----------- | ------------ |
| `x-api-key` | Your API key |

## Source Access

API keys can be scoped by source type:

* **All Sources**: the key can access all supported source types.
* **Specific Sources**: the key can access only the selected source types.
* **No File Access**: no sources are selected, so the key has no file/source access.

If a key is restricted and you use a source outside its allowed list, the API returns a `403`.

See [Source Types](/reference/source-types) for valid `source_type` values.

## Example Requests

<CodeGroup>
  ```bash curl theme={null}
  curl -X POST https://memorymachines-gateway-prod-btf57kda.uc.gateway.dev/v1/memories/recall \
    -H "x-api-key: $ENGRAMME_API_KEY" \
    -F "text=team meetings"
  ```

  ```python Python theme={null}
  import os
  import requests

  response = requests.post(
      "https://memorymachines-gateway-prod-btf57kda.uc.gateway.dev/v1/memories/recall",
      headers={"x-api-key": os.environ["ENGRAMME_API_KEY"]},
      data={"text": "team meetings"},
  )
  print(response.json())
  ```

  ```javascript JavaScript theme={null}
  const formData = new FormData();
  formData.append('text', 'team meetings');

  const response = await fetch(
    'https://memorymachines-gateway-prod-btf57kda.uc.gateway.dev/v1/memories/recall',
    {
      method: 'POST',
      headers: { 'x-api-key': process.env.ENGRAMME_API_KEY },
      body: formData
    }
  );
  ```
</CodeGroup>

## Security Best Practices

* Store API keys in environment variables or a secret manager.
* Make API calls from your backend; do not expose API keys in client-side JavaScript.
* Use separate keys for different apps, environments, or integrations.
* Use source-scoped keys when an app only needs one source type.
* Regenerate or delete keys you suspect are compromised. The default key cannot be deleted; regenerate it instead.

## Data Isolation

Each API key is associated with a user account. API keys can only access data available to that account and, when scoped, the selected source types.

For limits, status codes, and retry behavior, see [Errors and Limits](/reference/errors-and-limits).
