> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fribl.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticating requests to the Fribl API

# Authentication

All Fribl API requests require authentication via an API key, with the exception of the [Skills Search](/api-reference/introduction) endpoints which are publicly accessible.

## API key

Include your API key in the `x-api-key` header with every request:

```bash theme={null}
curl -X POST https://api-service.fribl.co/api/v1/cvs/analyze \
  -H "x-api-key: your-api-key-here" \
  -H "Content-Type: application/json" \
  -d '{"inputs": ["CV text content here"]}'
```

<Info>
  Your API key is a UUID (e.g., `a1b2c3d4-e5f6-7890-abcd-ef1234567890`). Contact Fribl to obtain your key.
</Info>

<Note>
  Every API key belongs to a **workspace**, and all keys in a workspace share one token balance. Billable requests draw from that balance — see [Tokens & Billing](/tokens).
</Note>

## Accept-Language header

Optionally, include the `Accept-Language` header on retrieval endpoints to receive skill names and analysis output in your preferred language:

```bash theme={null}
curl -X GET https://api-service.fribl.co/api/v1/cvs/{id} \
  -H "x-api-key: your-api-key-here" \
  -H "Accept-Language: fr"
```

Defaults to `en` (English) on the public API when not specified. See [Supported Languages](/supported-languages) for all available language codes.

For update requests, declare the language of the submitted payload in the JSON body using `content_language`. Do not use `Accept-Language` to describe the language you are sending.

## Error responses

Requests with a missing or invalid API key receive a `401 Unauthorized` response:

```json theme={null}
{
  "error": "Invalid API Key."
}
```

## Security best practices

<Warning>
  Never expose your API key in client-side code, public repositories, or browser requests. Always call the Fribl API from your backend server.
</Warning>

* Store API keys in environment variables or a secrets manager
* Rotate keys periodically
* Use separate keys for development and production environments
