> ## Documentation Index
> Fetch the complete documentation index at: https://docs.spikeapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Spike Care API

All Spike Care API requests must include a valid API key in the `Authorization` header. The API key is associated with your EMR (electronic medical record) and is validated on every request.

## Sending the API key

Use HTTP Bearer authentication:

```http theme={null}
Authorization: Bearer <your_api_key>
```

Example with curl:

```bash theme={null}
curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://api.spikecare.com/public/v1/clinics
```

## How it works

* The server reads the value after `Bearer ` from the `Authorization` header.
* The key is looked up in the EMR registry. If it matches an EMR record, the request is allowed and the EMR ID is used for scoping.
* If the header is missing, empty, or the key does not match any EMR, the server responds with **401 Unauthorized**.

## Getting an API key

API keys are issued per EMR. To obtain or manage keys for your organization, use the Spike Care Portal or contact Spike to set up your integration.

## Security

* Treat API keys as secrets. Do not commit them to source control or expose them in client-side code.
* Use HTTPS for all requests so the key is not sent in the clear.