> ## Documentation Index
> Fetch the complete documentation index at: https://docs.shasta.health/llms.txt
> Use this file to discover all available pages before exploring further.
# Authentication
> Generate, store, and use your Shasta Health API key to authenticate requests.
## Overview
All Shasta Health API requests are authenticated with an API key passed in the `Authorization` header. This guide walks through generating a key, storing it securely, and using it in your requests.
## Generating an API key
1. Log in to the [Shasta provider portal](https://app.shasta.health).
2. Navigate to **Settings > API** at [app.shasta.health/provider/settings/api](https://app.shasta.health/provider/settings/api).
3. Click **Create API Key**.
4. Give the key a descriptive name (e.g. "Production Eligibility" or "Staging").
5. Copy the key immediately — it will only be shown once.
Your API key is displayed only at the time of creation. If you lose it, you will need to generate a new one.
## Storing your API key securely
* **Never commit API keys to source control.** Use environment variables or a secrets manager instead.
* Store the key in an environment variable such as `SHASTA_HEALTH_API_KEY`.
* In production, use a secrets manager like AWS Secrets Manager, Google Secret Manager, HashiCorp Vault, or your platform's built-in secrets (e.g. Vercel Environment Variables).
* Restrict access to the key to only the services and team members that need it.
* Rotate keys periodically and revoke any that are no longer in use.
## Using the API key
Pass your API key in the `Authorization` header with the `Key` prefix:
```
Authorization: Key
```
```bash curl theme={null}
curl -X POST https://app.shasta.health/api/eligibility \
-H "Authorization: Key $SHASTA_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"tradingPartnerServiceId": "60054",
"provider": {
"organizationName": "Shasta Medical Group",
"npi": "1234567890"
},
"subscriber": {
"firstName": "Jane",
"lastName": "Doe",
"dateOfBirth": "19800115",
"memberId": "XYZ123456"
}
}'
```
```typescript JavaScript / TypeScript theme={null}
const SHASTA_API_KEY = process.env.SHASTA_API_KEY;
const response = await fetch("https://app.shasta.health/api/eligibility", {
method: "POST",
headers: {
"Authorization": `Key ${SHASTA_API_KEY}`,
"Content-Type": "application/json",
},
body: JSON.stringify({
tradingPartnerServiceId: "60054",
provider: {
organizationName: "Shasta Medical Group",
npi: "1234567890",
},
subscriber: {
firstName: "Jane",
lastName: "Doe",
dateOfBirth: "19800115",
memberId: "XYZ123456",
},
}),
});
const data = await response.json();
console.log(data);
```
```python Python theme={null}
import os
import requests
api_key = os.environ["SHASTA_API_KEY"]
response = requests.post(
"https://app.shasta.health/api/eligibility",
headers={
"Authorization": f"Key {api_key}",
"Content-Type": "application/json",
},
json={
"tradingPartnerServiceId": "60054",
"provider": {
"organizationName": "Shasta Medical Group",
"npi": "1234567890",
},
"subscriber": {
"firstName": "Jane",
"lastName": "Doe",
"dateOfBirth": "19800115",
"memberId": "XYZ123456",
},
},
)
print(response.json())
```
## Error responses
If the API key is missing or invalid, you will receive a `401` response:
```json theme={null}
{
"code": "UnauthorizedException",
"message": "Unauthorized"
}
```
If the key is valid but does not have permission for the requested operation, you will receive a `403` response:
```json theme={null}
{
"code": "AccessDeniedException",
"message": "Site is not configured for eligibility checks"
}
```
## Next steps
Once you have your API key set up, follow the [Eligibility Check Guide](/guides/eligibility-check) to submit your first eligibility check.