> ## Documentation Index
> Fetch the complete documentation index at: https://developers.lucca.fr/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate on a Legacy API.

## Authenticating

Authentication is handled through the use of an API key, which can be managed in your
[Lucca account settings](https://support.lucca.fr/hc/en-us/articles/115000084851).

Each key is given its owned dedicated role that dictates the depth and breadth of its access rights. This dedicated
role has the same name as the API key by default, and is listed at the very bottom of the list of roles in the
corresponding administration interface (i.e. /organization/structure/roles).

Once you have an API key, you must reference it on all requests against the Legacy APIs through the `Authorization`
HTTP header in the following manner:

```
Authorization = lucca application={API_KEY}
```

<Warning>Make sure to keep API keys secure. Delete it at once if you suspect it's been
compromised and create a new one. You can also periodically change the API key.</Warning>

<Tip>Please not that if authentication was unsuccessful (most likely due to
an invalid API key), then the server will return a `401 Unauthorized` HTTP
status code.</Tip>

<Tip>It is considered good practice to **create a new API key for each integration
project**. It gives you the opportunity to finely tune access scopes, and limits
security risks in case of a key value leak. In other words, try to attach the minimum
required access scope to any key. There is a guide about setting up access scopes.</Tip>

<Check>Make sure to set the "technical contact" on all keys (email of someone tech-savy
among yourselves). This will be our primary contact point in case of technical problems
or API changes.</Check>

<RequestExample>
  ```http HTTP theme={null}
  GET /api/v3/users HTTPS/2
  Host: example.ilucca.net
  Authorization: lucca application={API_KEY}
  Accept: application/json
  ```
</RequestExample>

## CORS Policy

Our Cross-origin Ressource Sharing policy doesn't allow API call from web browser using
a different domains than `ilucca.net` or `ilucca-test.net`.

If you need to automate processes using a Lucca API Key, you should do it:

* throught a script
* from an API Platform (e.g. Postman or Azure API Management)
* from the backend of your own application