> ## Documentation Index
> Fetch the complete documentation index at: https://api.lensmor.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate Lensmor API requests with user API keys, bearer tokens, secure storage, and production key management practices.

Lensmor API requests require a user API key.

## Getting your API key

1. Sign in or create an account at [Lensmor App](https://app.lensmor.com).
2. Upgrade the account to a paid subscription plan.
3. Open **Settings → API Keys**.
4. Click **Create API Key**, give it a label, and copy the key immediately — it is only shown once.

Your key starts with `sk_` and looks like this:

```
sk_0123456789abcdef_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
```

Store it in an environment variable before making requests:

```bash theme={"theme":{"light":"github-light","dark":"github-dark"}}
export LENSMOR_API_KEY="sk_your_api_key"
```

<Note>
  API keys are available to subscribed accounts. If you do not see the API Keys section after upgrading, contact Lensmor support.
</Note>

## Base URL

`https://platform.lensmor.com`

Combine this base URL with the endpoint paths documented in the API reference. For example, `GET /external/events/list` becomes `GET https://platform.lensmor.com/external/events/list`.

## Header format

```http theme={"theme":{"light":"github-light","dark":"github-dark"}}
Authorization: Bearer sk_your_api_key
```

## Example request

```bash theme={"theme":{"light":"github-light","dark":"github-dark"}}
curl "https://platform.lensmor.com/external/events/list?page=1&pageSize=20" \
  -H "Authorization: Bearer $LENSMOR_API_KEY"
```

## How it works

* Send a Bearer token in the `Authorization` header.
* Bearer scheme matching is case-insensitive at runtime.
* Use the examples on each endpoint page for the expected request path, parameters, and response shape.

## Before you call the API

* Use a valid user API key.
* Send the header on every request.
* Expect `401 Unauthorized` when the key is missing, malformed, revoked, or otherwise invalid.

## Security recommendations

* Store API keys in a secret manager or server-side environment variable.
* Do not expose API keys in browser JavaScript, mobile app bundles, public repos, or analytics payloads.
* Rotate keys if they are accidentally logged or shared.
* Avoid logging full `Authorization` headers.
* Use your own server as a proxy when building browser-based experiences.

<Warning>
  Treat user API keys like credentials. They can access Lensmor data and initiate workflows that use the same credits as the Lensmor SaaS app.
</Warning>

## Test and production usage

Lensmor does not currently provide a separate sandbox environment. All API calls go to the production base URL.

To test your integration safely:

* Use read-only endpoints (`events/list`, `events/detail`, `exhibitors/list`, `personnel/list`, `credits/balance`) freely — they do not consume credits.
* Avoid calling credit-consuming endpoints (`events/:id/unlock`, `contacts/unlock`, `exhibitors/search-events`) until you are ready to use real data.
* Check your shared SaaS/API balance with `GET /external/credits/balance` before running paid workflows.
* API usage and Lensmor SaaS usage draw from the same credit pool for the subscribed user account.

<Tip>
  For integration development, start with the free read-only endpoints and only call credit-consuming endpoints when your workflow is validated.
</Tip>

## Notes

* Use the full `sk_...` key value from **Settings -> API Keys**. The visible key prefix alone is not enough for authentication.
* Invalid or missing keys return the shared API error format described in [Error conventions](/concepts/errors).
