> ## Documentation Index
> Fetch the complete documentation index at: https://docs.warrn.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate requests to the Warrn API using API keys.

## API Keys

To authenticate, add an `Authorization` header with the contents of the header being `Bearer warrn_xxxxxxxxx` where `warrn_xxxxxxxxx` is your API key.

```
Authorization: Bearer warrn_xxxxxxxxx
```

```bash theme={null}
curl -X GET "https://api.warrn.io/alerts/" \
  -H "Authorization: Bearer warrn_k8sM2vL9xQ7nP4wR..."
```

API keys use the format `warrn_` followed by a random string. You receive the full key once at creation time — store it securely.

## Create an API Key

<Steps>
  <Step title="Open Settings">
    Go to **Settings → API Keys** in your Warrn dashboard.
  </Step>

  <Step title="Create a key">
    Click **Create API Key**. Give it a name (e.g. "Monitoring integration") and select a permission level.
  </Step>

  <Step title="Copy the key">
    Copy the key immediately. You won't be able to see it again.
  </Step>
</Steps>

## Permissions

Each API key has a permission level that controls what it can do:

| Permission | Can read alerts | Can create/close alerts | Can manage settings |
| ---------- | --------------- | ----------------------- | ------------------- |
| `read`     | Yes             | No                      | No                  |
| `write`    | Yes             | Yes                     | No                  |
| `admin`    | Yes             | Yes                     | Yes                 |

<Warning>
  Use the minimum permission level your integration needs. A monitoring tool that sends alerts only needs `write`. A dashboard that displays alerts only needs `read`.
</Warning>

## Rate Limits

Each API key is limited to **1,000 requests per hour** by default. If you exceed the limit, requests return `429 Too Many Requests`.

## IP Allowlists

You can restrict an API key to specific IP addresses. When configured, requests from other IPs are rejected with `403 Forbidden`.

Leave the allowlist empty to permit requests from any IP.

## Key Identification

Each key is identified by its first 8 characters (the prefix). This appears in the dashboard and logs so you can identify which key made a request without exposing the full key.
