---
title: Authentication
description: How to authenticate against the Scripto HTTP API — the Authorization Bearer header, the scripto_ key prefix, and how keys are minted.
---

<Note>

The [`scripto` CLI](/cli/overview) handles auth for you after `scripto auth login-complete` or `scripto config set --api-key`. Use the header below only when calling the API directly.

</Note>

## The header

Send your key as a Bearer token on every authenticated route:

| Header | Value |
|---|---|
| `Authorization` | `Bearer scripto_…` |

```bash
curl -sS https://scripto.codika.io/api/articles \
  -H "Authorization: Bearer $SCRIPTO_API_KEY"
```

A missing or invalid key returns `401 unauthenticated`.

## Key prefix

Every CLI key starts with **`scripto_`**. Keys are owned by a single user (their `referenceId`), and every data route scopes its rows to that user — see [per-user scoping](/api-reference/overview#per-user-scoping).

## Where keys come from

| Path | How |
|---|---|
| **OTP** | `POST /api/cli/login-request` then `POST /api/cli/login-complete` returns a key. Backs `scripto auth …`. See [CLI auth](/api-reference/cli-auth). |
| **Web Settings** | Mint a named key in the app; the raw value is shown once. |
| **`POST /api/keys`** | Mint a key for the authenticated principal (web-session scoped). See [create key](/api-reference/create-key). |

The raw secret is returned **only at creation** and is never retrievable again. Listing keys returns metadata only.

## Two auth paths coexist

The CLI uses static `scripto_` Bearer keys. Desktop/web agents use a per-user **OAuth** access token over the [MCP connector](/integrations/claude-desktop-mcp). Both resolve, server-side, to the same `userId` and the same per-user authorization rule — the apiKey and OAuth paths sit side by side over one user table.

## Next

- **[API keys](/concepts/api-keys)** — the full key policy (long-lived, named, revocable).
- **[CLI auth (OTP)](/api-reference/cli-auth)** — the public provisioning routes.