> ## Documentation Index
> Fetch the complete documentation index at: https://docs.artifacta.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate the CLI, SDK, and API with your API key.

Artifacta authenticates via API key. Every request — CLI, SDK, and REST API — requires a valid key.

## Get your API key

1. Sign up at [app.artifacta.io/signup](https://app.artifacta.io/signup)
2. Complete onboarding — a key is auto-generated for you
3. Or create additional keys at [app.artifacta.io/dashboard/keys](https://app.artifacta.io/dashboard/keys)

<Warning>
  Your full API key is shown **once** at creation time. Copy it immediately. You cannot retrieve it later — only the last 4 characters are visible after creation.
</Warning>

## Key format

```
ak_live_<32 alphanumeric characters>
```

Example: `ak_live_x9f7v3m1p0q2r4s6t8u0w1y3z5a7b9c2`

## Authenticate the CLI

<Tabs>
  <Tab title="Environment variable (recommended)">
    ```bash theme={null}
    export ARTIFACTA_API_KEY="ak_live_abc123..."
    ```

    Best for agents and CI. Every sub-process inherits the key automatically.
  </Tab>

  <Tab title="Interactive login">
    ```bash theme={null}
    artifacta auth login
    # Enter your API key: ak_live_abc123...
    # ✓ Authenticated as tenant "acme-corp"
    ```

    Stores in `~/.config/artifacta/config.toml`.
  </Tab>

  <Tab title="Pipe from stdin (CI / agents)">
    ```bash theme={null}
    echo "$ARTIFACTA_API_KEY" | artifacta auth login
    ```

    Reads the key from stdin when stdout isn't a TTY. Won't hang on empty stdin and keeps the secret out of process args (where `--key` would expose it to `ps`).
  </Tab>

  <Tab title="Non-interactive login (--key flag)">
    ```bash theme={null}
    artifacta auth login --key ak_live_abc123
    ```

    Convenient for one-off setups. Note: the key appears in shell history and `ps` output — prefer the stdin pipe for CI.
  </Tab>
</Tabs>

**Priority order:** `ARTIFACTA_API_KEY` env var > config file.

## Authenticate the Python SDK

```python theme={null}
from artifacta import Client

# Option 1: Auto-detect from environment or config file
client = Client()
# Reads ARTIFACTA_API_KEY from env, then ~/.config/artifacta/config.toml

# Option 2: Explicit key
client = Client(api_key="ak_live_abc123")
```

## Authenticate the REST API

```bash theme={null}
curl https://api.artifacta.io/v1/artifacts \
  -H "Authorization: Bearer ak_live_abc123"
```

Every API request requires the `Authorization: Bearer <key>` header.

## Verify authentication

```bash theme={null}
artifacta whoami
```

```text Output theme={null}
Tenant:  acme-corp
Plan:    free
Key:     ...k9f7 (last 4)
Usage:   0 / 10,000 requests this month
Storage: 0 B / 1 GB
```

Or in Python:

```python theme={null}
info = client.whoami()
print(info.tenant_name)  # "acme-corp"
print(info.plan)         # "free"
```

## Key limits

| Plan | Max active keys |
| ---- | --------------- |
| Free | 10              |
| Pro  | 50              |

Revoked keys don't count toward the limit. Revoke unused keys at [app.artifacta.io/dashboard/keys](https://app.artifacta.io/dashboard/keys).

## Security notes

* Keys are hashed (SHA-256) before storage — Artifacta never stores your full key
* A revoked key is immediately unusable
* Keys do not expire — revoke manually when no longer needed
* All keys have full tenant access (no per-key permission scopes in V1)
