> ## Documentation Index
> Fetch the complete documentation index at: https://docs.starfort.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate Guard API calls with your Guardian API key.

The Guard API authenticates with an **API key** sent in a request header.

## The header

```
X-Starfort-Guard-Api-Key: sf_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```

* Keys are created per **Guardian** in the Console and start with `sf_`.
* A key is shown **once** at creation — store it securely.
* The key's **name** is recorded as a tag on every trace, so name keys by caller/environment.

There are no auth query parameters — authentication is header-only.

## Invalid or missing key

A key is rejected with **HTTP 401** when it is **missing**, **not found / malformed**, or **revoked**. Revocation is permanent and irreversible — a revoked key never authenticates again.

```json theme={null}
{
  "ok": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid credentials (getApiGuardGate)",
    "details": "API_KEY_INVALID"
  }
}
```

## Authentication vs. active state

Authentication (the 401 above) is checked **before**, and separately from, whether the key is currently allowed to run. A key that authenticates can still be stopped because an admin toggled it **inactive** or a **Kill Switch** fired on a parent resource — those are *not* 401s and don't reveal which resource blocked them. See [Errors & states](/en/v1.2/api/errors).

## Managing keys

Keys can be active or inactive, and can be revoked. Revocation is permanent. See [Manage API keys](/en/v1.2/admin/api-keys) for the full lifecycle.