> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tarvah.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Tarvah SDK API

All SDK API endpoints require an API key for authentication. API keys are prefixed with `trvh_sdk_` and can be passed in two ways:

<CodeGroup>
  ```bash Authorization Header theme={null}
  curl -X POST https://<your-instance>/v1/sdk/import \
    -H "Authorization: Bearer trvh_sdk_abc123..." \
    -H "Content-Type: application/json" \
    -d '{ ... }'
  ```

  ```bash x-api-key Header theme={null}
  curl -X POST https://<your-instance>/v1/sdk/import \
    -H "x-api-key: trvh_sdk_abc123..." \
    -H "Content-Type: application/json" \
    -d '{ ... }'
  ```
</CodeGroup>

## Key format

| Property       | Value                                         |
| -------------- | --------------------------------------------- |
| Prefix         | `trvh_sdk_`                                   |
| Length         | 73 characters total (prefix + 64 hex chars)   |
| Hash algorithm | SHA-256 (only the hash is stored server-side) |

<Warning>
  The full API key is shown **only once** when created. Store it securely — it cannot be retrieved later.
</Warning>

## Key lifecycle

* Keys have an optional `expiresAt` date. Expired keys are rejected automatically.
* Keys can be revoked at any time from the Tarvah Settings UI.
* Each key is scoped to `sdk:import` permissions.
* `lastUsedAt` is updated on every successful authentication.

## Error responses

| Status | Body                            | Meaning                       |
| ------ | ------------------------------- | ----------------------------- |
| `401`  | `{"error": "API key required"}` | No key provided in headers    |
| `401`  | `{"error": "Invalid API key"}`  | Key not found or revoked      |
| `401`  | `{"error": "API key expired"}`  | Key past its `expiresAt` date |
