> ## Documentation Index
> Fetch the complete documentation index at: https://docs.schedkit.net/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys and session cookies — how to authenticate with SchedKit.

## API Keys

All API endpoints accept an `x-api-key` header. Get your key from the dashboard under **Kit Config → API Keys**.

```bash theme={null}
curl https://schedkit.net/v1/auth/me \
  -H "x-api-key: sk_live_YOUR_KEY"
```

Keys are prefixed:

* `sk_live_` — production key
* `sk_test_` — test key (same API, isolated data)

<Warning>
  Never expose your API key in client-side code or public repos. Use environment variables.
</Warning>

## Session Cookies

The dashboard uses HTTP-only session cookies set by `POST /v1/auth/login`. Cookie auth is automatically used by browsers — no header needed.

```bash theme={null}
# Login and save cookie
curl -c cookies.txt -X POST https://schedkit.net/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"you@example.com","password":"..."}'

# Use session cookie
curl -b cookies.txt https://schedkit.net/v1/auth/me
```

## Auth endpoints

| Method | Path              | Description                    |
| ------ | ----------------- | ------------------------------ |
| `POST` | `/v1/auth/login`  | Login, set session cookie      |
| `POST` | `/v1/auth/logout` | Logout, clear session          |
| `GET`  | `/v1/auth/me`     | Get current authenticated user |

### GET /v1/auth/me

```json theme={null}
{
  "id": 42,
  "email": "you@example.com",
  "name": "Your Name",
  "slug": "yourname",
  "plan": "starter",
  "timezone": "America/Chicago"
}
```

## Error responses

Unauthenticated requests return `401`:

```json theme={null}
{ "error": "Unauthorized" }
```

Insufficient plan returns `403`:

```json theme={null}
{ "error": "Upgrade required", "upgrade": true }
```
