> ## Documentation Index
> Fetch the complete documentation index at: https://docs.linkrmap.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How the x-api-key header works, and what it does not do.

Every request needs an `x-api-key` header.

```bash theme={null}
curl -H "x-api-key: linkr_test_demo01" \
  "https://linkrmap.com/api/v1/hotspots"
```

## The key format

A valid key matches this pattern:

```
linkr_(test|live)_[a-zA-Z0-9]{6,}
```

That is: the prefix `linkr_test_` or `linkr_live_`, followed by at least six
alphanumeric characters. For example, `linkr_test_demo01` is valid.

<Warning>
  This is a **shape check, not a credential lookup**. The API only verifies that your key
  matches the pattern above. There is no key store, no issuance, no dashboard, no
  revocation, no rate limiting, and no per-key metering. `linkr_test_aaaaaa` authenticates
  exactly as well as any other well-formed key.

  It exists to keep the demo endpoints tidy and to reserve the header for the future. Do
  not treat it as a secret, and do not build billing or quotas on top of it.
</Warning>

## Test vs live prefixes

Both `linkr_test_` and `linkr_live_` keys are accepted and behave identically today,
because the dataset is a static preview. Use `linkr_test_` for now.

## Missing or malformed keys

A request without a valid key returns `401`:

```json theme={null}
{
  "error": "Unauthorized",
  "message": "Invalid or missing API key. Include x-api-key header with a valid key (linkr_test_* or linkr_live_*)."
}
```
