> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cativa.digital/llms.txt
> Use this file to discover all available pages before exploring further.

# Quick Start: First API call in 2 minutes

> Create an API Key and make your first request with 1 line of cURL.

This flow is ideal for **scripts, jobs, and server-to-server syncs** — anything that doesn't involve an interactive user. If you want the user to log in, use [Sign in with Cativa](/en/get-started/quickstart-sign-in).

<Steps>
  <Step title="Create an API Key">
    In the Console, go to **Developers > API Keys > Create**.

    Give it a name (e.g. `Sync HubSpot prod`) and click **Create**. The key is shown **only once** in the format:

    ```
    cativa_live_8c1d4e2a3b5f4d8a9c6e7f0b1a2d3e4f
    ```

    Copy and store it safely — you can't view it again. If you lose it, generate a new one and revoke this one.
  </Step>

  <Step title="Make your first request">
    Fetch the data of the user associated with the key (canonical endpoint for credential validation):

    <CodeGroup>
      ```bash cURL theme={null}
      curl https://apis.cativalab.digital/tenant/v1/auth/me \
        -H "Authorization: Bearer cativa_live_8c1d4e2a3b5f4d8a9c6e7f0b1a2d3e4f"
      ```

      ```js Node theme={null}
      const res = await fetch('https://apis.cativalab.digital/tenant/v1/auth/me', {
        headers: {
          'Authorization': `Bearer ${process.env.CATIVA_API_KEY}`
        }
      });
      const me = await res.json();
      ```

      ```python Python theme={null}
      import requests
      res = requests.get(
          'https://apis.cativalab.digital/tenant/v1/auth/me',
          headers={
              'Authorization': f"Bearer {os.environ['CATIVA_API_KEY']}"
          }
      )
      me = res.json()
      ```

      ```csharp C# theme={null}
      using var http = new HttpClient();
      http.DefaultRequestHeaders.Authorization =
          new AuthenticationHeaderValue("Bearer", apiKey);
      var res = await http.GetAsync("https://apis.cativalab.digital/tenant/v1/auth/me");
      var json = await res.Content.ReadAsStringAsync();
      ```
    </CodeGroup>

    The response includes the `id` of the user tied to the key, `email`, `displayName`, `role`, the `customer` (tenant) name and the effective session token. Use it as a sanity check that your key is valid and points to the right tenant.

    <Note>
      The tenant is resolved automatically from the key — no extra header is required. Each API Key belongs to a single tenant; every authenticated call already arrives with the right context.
    </Note>
  </Step>

  <Step title="That's it!">
    From here you can call any other authenticated API endpoint with the same `Authorization: Bearer cativa_live_...`.

    <Note>
      The public endpoint catalog (including user creation, badge assignment and community/post reads) is **coming soon** in this documentation. Until then, align specific endpoints with the Cativa team at [dev@cativa.digital](mailto:dev@cativa.digital).
    </Note>
  </Step>
</Steps>

## Best practices

<AccordionGroup>
  <Accordion title="Don't commit keys">
    Use environment variables (e.g. `CATIVA_API_KEY`) or a secrets vault (Doppler, 1Password Secrets, AWS Secrets Manager). Never commit keys to your repo.
  </Accordion>

  <Accordion title="Name your keys">
    Use descriptive names (`Sync HubSpot prod`, `CI build`, `Migration 2026-Q2`) — makes it easier to audit and revoke the right one.
  </Accordion>

  <Accordion title="Rotate periodically">
    We recommend rotation every 90 days. If a key leaks, revoke it immediately in the Console and generate a new one.
  </Accordion>

  <Accordion title="Handle errors">
    `401 Unauthorized` means the credential is invalid or has been revoked. `403 Forbidden` indicates a valid key without permission for the resource. Always log the `traceId` returned in the error response body.
  </Accordion>
</AccordionGroup>
