# Authentication

All meshVI API endpoints described in this documentation require **API authorization** via a **Bearer token** (JWT) and an **API key** in the **`apiKey`** HTTP header.

The **Bearer** token is validated by the meshVI API application (including `[APIAuthorize]` routes). The **`apiKey`** header is required at the **hosted API edge** (e.g. `https://uat-verified.meshvi.com`) in addition to the token.

## Bearer token

Include your token in the `Authorization` header of every request:

```http
Authorization: Bearer YOUR_ACCESS_TOKEN
```

## API key

Include your API key in the `apiKey` header on every request:

```http
apiKey: YOUR_API_KEY
```

## Base URL

Staging is the environment documented here (see the **Servers** list in the [API Reference](/apis/meshvi)):

- **Staging (UAT):** `https://uat-verified.meshvi.com`


### Example

```bash
curl -X GET "https://uat-verified.meshvi.com/v1/clients?page=1&limit=10" \\
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \\
  -H "apiKey: YOUR_API_KEY" \\
  -H "Accept: application/json"
```

## Obtaining credentials

- API access, tokens, and API keys are provided through meshVI or your organization’s administrator.
- For integration and token requests, contact [meshVI](https://www.meshvi.com) or use your existing meshVI portal/account.


## Security

- Do not share or commit tokens or API keys in source code or public repositories.
- Use environment variables or a secure secrets manager in your application.
- Treat tokens and keys as sensitive credentials; rotate them if exposure is suspected.


## Unauthorized (401)

If the token or API key is missing, invalid, or expired, the API returns `401 Unauthorized`. Ensure both headers are set correctly and the credentials are valid.