> ## Documentation Index
> Fetch the complete documentation index at: https://docs.neoagent.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Create a Neo API key in the dashboard and authenticate your requests with a bearer token.

The Neo API authenticates with an **API key** — a long-lived secret you create in the dashboard and send as a bearer token on every request. A key belongs to the tenant that created it and carries that tenant's access, so you never pass a client or tenant id yourself.

## Create an API key

API keys are created in the dashboard, by an admin, under **Roles & Access**.

<Steps>
  <Step title="Open the API Keys tab">
    Go to [**Roles & Access** → **API Keys**](https://dashboard.neoagent.io/rbac?tab=api-keys). You'll need the **Admin** role — only admins can manage keys.
  </Step>

  <Step title="Create the key">
    Click **Create API key**, give it a recognisable name (e.g. *Billing export script*), and optionally set an expiry. Leave the expiry blank for a key that never expires.
  </Step>

  <Step title="Copy it now">
    The key is shown **once**, right after creation. Copy it and store it somewhere safe — you can't retrieve it again later.
  </Step>
</Steps>

<Warning>
  Your API key is shown only once and can't be recovered. If you lose it, [rotate or revoke](#rotating-and-revoking-keys) it and issue a new one. Anyone with the key can act on your tenant through the API, so treat it like a password.
</Warning>

A key looks like this — `neo_sk_`, the environment, then a random secret:

```
neo_sk_prod_AbCdEf0123456789AbCdEf01
```

## Authenticate a request

Send the key in the `Authorization` header as a bearer token:

```bash theme={null}
curl https://api.neoagent.io/public-api/agents \
  -H "Authorization: Bearer neo_sk_prod_AbCdEf0123456789AbCdEf01"
```

That's the only credential a request needs. The key resolves to your tenant on Neo's side — there is no separate tenant or client header.

## Rotating and revoking keys

Manage existing keys from the same [**API Keys**](https://dashboard.neoagent.io/rbac?tab=api-keys) tab:

| Action     | What happens                                                                                                                                                          |
| ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Rotate** | Issues a fresh key immediately and keeps the current key working for **24 hours**, so you can roll it out without downtime. After 24 hours the old key stops working. |
| **Revoke** | Disables the key **immediately and permanently**. Any integration still using it stops working at once.                                                               |

<Tip>
  Use one key per integration and name it for that integration. That way you can rotate or revoke a single consumer without touching the others, and the **Last used** column tells you which keys are still live.
</Tip>

## Security best practices

* Store keys in a secrets manager or your platform's environment configuration — never commit them to source control.
* Don't embed keys in browsers, mobile apps, or anything a customer could inspect — the API is for server-to-server use.
* Rotate on a schedule, and immediately if a key may have leaked.
* Set an expiry on keys meant to be short-lived.

<Info>
  Keys can't create other keys — minting and rotating keys is an admin-only dashboard action. The dashboard itself signs in with your Microsoft account rather than an API key; API keys are for your own scripts and integrations.
</Info>

## What's next

<Card title="Make your first request" icon="rocket" href="/developers/quickstart">
  List your agents and read the response envelope.
</Card>