> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vantage.sh/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate your requests using API keys.

The Vantage API authenticates all requests with an API access token. Tokens are required to ensure stability of the API and enforce rate limiting. If you do not include a token along with a request or pass an incorrect value, an error is returned within the API response.

<Warning>
  Keep your token in a safe place; do not share it.
</Warning>

## Create a Vantage API Service Token

Service tokens are associated with an account, not with an individual user. These tokens ensure that any changes to specific users within your Vantage account will not disrupt automated workflows.

<Info>
  All Service Tokens created in non-Enterprise accounts are assigned to the Everyone team.
</Info>

For Enterprise customers who use Teams and Role-Based Access Control, tokens can be attached to specific teams and will inherit the permissions from their associated team. Users with Organization Owner or Team Owner permissions can create API service tokens.

<Tip>
  **Best Practice for Kubernetes and Terraform:** Service tokens used for the [Kubernetes agent](/kubernetes_agent) or [Terraform provider](/terraform) should be assigned to the **Everyone** team. This is required for organization-level actions such as managing provider integrations and creating teams. Service tokens assigned to other teams will not have the necessary permissions for these organization-level operations, which can result in authorization errors.
</Tip>

To generate an API service token:

<Steps>
  <Step>
    On the left navigation of the **Settings** screen, select **API Access Tokens**.
  </Step>

  <Step>
    Enter a new token name, choose a team (Enterprise accounts), select the **Read** and/or **Write** scope, and click **Create**.
  </Step>

  <Step>
    Click **Show** to reveal and copy your token.
  </Step>
</Steps>

To revoke a token, click **Delete**.

## Create a Vantage API Personal Access Token

Personal access tokens are associated with the user who created the token.

To generate an API personal access token:

<Steps>
  <Step>
    On the left navigation of the **Settings** screen, select **API Access Tokens**, then navigate to the **Personal Access Tokens** tab.
  </Step>

  <Step>
    Enter a new token name, select the **Read** and/or **Write** scope, and click **Create**.
  </Step>

  <Step>
    Click **Show** to reveal and copy your token.
  </Step>
</Steps>

To revoke a token, click **Delete**.

## Choose the Right Token

Use the following guidance when deciding which token type to use:

| Token type                | Best for                                                                                          | Notes                                                                            |
| ------------------------- | ------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- |
| **Service token**         | Shared automation, background jobs, CI pipelines, and long-lived integrations                     | In Enterprise accounts, the token inherits the permissions of its assigned team. |
| **Personal access token** | Interactive testing, local scripts, and requests that should run with an individual user's access | The token's access follows the user who created it.                              |

<Info>
  In Enterprise accounts, a token can only access the workspaces and items available to its team. If an automation needs organization-level access, such as managing provider integrations, assign the service token to the **Everyone** team. See the [RBAC permissions reference](/rbac_permissions).
</Info>

## Use Your Access Token in a Request

Pass your access token through the `Authorization` header of a request:

```bash theme={null}
curl --request GET \
  --url https://api.vantage.sh/v2/cost_reports \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <YOUR TOKEN>'
```
