> ## Documentation Index
> Fetch the complete documentation index at: https://api.tryspecter.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> One team-level API key, sent on the X-API-Key header with every request.

Specter uses a single, team-level API key, so every call is tied to your firm's workspace. Rate and credit limits apply at the workspace level.

## Your API key

Your key lives in the [API Console](https://app.tryspecter.com/settings/api-console) — copy it straight to your clipboard. No key yet? Click **Request API Access** there; requests are reviewed and approved within one business day.

<Accordion title="Why only one key per team?">
  Most investment teams work collaboratively from one source of truth. A shared key keeps data permissioning straightforward while still enforcing rate and credit limits at the workspace level.
</Accordion>

## Making an authenticated request

<CodeGroup>
  ```bash cURL theme={null}
  curl --request GET \
    --url https://app.tryspecter.com/api/v1/lists/companies \
    --header 'X-API-Key: YOUR_API_KEY'
  ```

  ```python Python theme={null}
  import requests

  resp = requests.get(
      "https://app.tryspecter.com/api/v1/lists/companies",
      headers={"X-API-Key": "YOUR_API_KEY"},
  )
  print(resp.json())
  ```

  ```javascript JavaScript theme={null}
  const res = await fetch("https://app.tryspecter.com/api/v1/lists/companies", {
    headers: { "X-API-Key": "YOUR_API_KEY" },
  });
  const data = await res.json();
  ```
</CodeGroup>

For a full walkthrough of your first request, see the [Quickstart](/api-ref/quickstart).

## Keep your key safe

Treat the key like a password — it grants access to your firm's data.

* Store it in an environment variable (e.g. `SPECTER_API_KEY`), never hard-coded in source.
* Never put it in client-side code, a browser, or a public repository.
* If a key is exposed, contact [api-support@tryspecter.com](mailto:api-support@tryspecter.com) to rotate it.

## Authentication errors

| Code  | Meaning                                                   | Fix                                                                                                            |
| ----- | --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
| `401` | Missing or invalid key                                    | Confirm you're sending the `X-API-Key` header (not `Authorization: Bearer`) and the key is correct and active. |
| `403` | Key is valid, but your plan doesn't include this endpoint | Contact support to discuss access.                                                                             |

For the full list — including credit (`402`) and rate (`429`) limits — see [Errors](/api-ref/errors).

## What the API can see

Lists and saved searches are only visible to the API once shared with it (a one-click toggle in the app) — full rules in [Lists](/api-ref/lists) and [Saved Searches](/api-ref/saved-searches).
