> ## Documentation Index
> Fetch the complete documentation index at: https://docs.launchboard.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate with the Launchboard API

> Learn how to create API keys, include them in requests, and handle authentication errors when integrating with the Launchboard API.

The Launchboard API authenticates requests using API keys passed as bearer tokens. Every request to a `/api/v1/*` endpoint must include your API key in the `Authorization` header. Requests without a valid key are rejected with a `401 Unauthorized` response.

## Create an API key

Open **Settings → API Keys** in the Launchboard dashboard and click **Create API Key**. Give the key a descriptive name — for example, the name of the integration or service that will use it — and choose the minimum role that integration requires.

<Warning>
  The plaintext key is shown exactly once, immediately after creation. Launchboard stores only a SHA-256 hash. Copy it and store it in a secret manager or environment variable before closing the dialog. If you lose it, you'll need to revoke the key and create a new one.
</Warning>

## Key format

API keys issued in production use the prefix `pg_live_`. Keys issued in non-production environments use `pg_test_`. You can tell at a glance which environment a key belongs to.

```
pg_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```

## Make an authenticated request

Include your API key in the `Authorization` header of every request:

```
Authorization: Bearer pg_live_your_key_here
```

<CodeGroup>
  ```bash cURL theme={null}
  curl https://launchboard.xyz/api/v1/stakeholders \
    -H "Authorization: Bearer pg_live_your_key_here"
  ```

  ```javascript JavaScript theme={null}
  const res = await fetch('https://launchboard.xyz/api/v1/stakeholders', {
    headers: { 'Authorization': 'Bearer pg_live_your_key_here' }
  });
  const data = await res.json();
  ```
</CodeGroup>

## Error responses

<ResponseField name="401 Unauthorized" type="object">
  The `Authorization` header is missing, malformed, or the key is invalid or revoked. Check that you've included the header and that the key value is correct.
</ResponseField>

<ResponseField name="403 Forbidden" type="object">
  The key is valid but the role assigned to it does not have permission to perform the requested operation. Use a key with a higher role, or request the minimum necessary permissions for your use case.
</ResponseField>

Both responses follow the RFC 9457 Problem Details format:

```json theme={null}
{
  "type": "https://api.launchboard.xyz/problems/unauthorized",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Authentication required"
}
```

## Security

<Warning>
  Treat API keys like passwords. Anyone who holds a key has full access to your organization's cap table data at the role level assigned to that key. Store keys in environment variables or a secrets manager — never commit them to source control or embed them in client-side code. If a key is compromised, revoke it immediately in **Settings → API Keys** and issue a replacement.
</Warning>

## Rate limiting

API requests are rate limited. When your integration exceeds the limit, the API returns `429 Too Many Requests` with a `Retry-After` header indicating how many seconds to wait before retrying. Build exponential backoff into any integration that makes bulk or high-frequency requests.
