> ## Documentation Index
> Fetch the complete documentation index at: https://developer.karmacheck.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to obtain and use a JWT to authenticate KarmaCheck API requests.

All API requests must be authenticated with a token in the form of a [JSON Web Token](https://jwt.io/) (JWT). The KarmaCheck API uses a [Bearer authentication scheme](https://swagger.io/docs/specification/authentication/bearer-authentication/), which should be used only over HTTPS.

## Create an authentication token

To create an authentication token, you need to first contact KarmaCheck to [enable API access](/background-check-api/overview/customer-integration#enable-api-access). KarmaCheck will issue you an API key and one or more client access tokens. Each client access token gives access to a specific group within a company in the KarmaCheck system.

With the API key and a client access token, call the `POST /auth/api` endpoint to retrieve an authentication token:

```bash theme={null}
curl --request POST \
  --url https://api-stage.karmacheck.io/auth/api \
  --header 'Content-Type: application/json' \
  --data '{
    "apiKey": "API_KEY",
    "clientAccessToken": "CLIENT_ACCESS_TOKEN"
  }'
```

Replace `API_KEY` and `CLIENT_ACCESS_TOKEN` with your credentials. The response will contain your authentication token in the `token` field.

Note the following regarding KarmaCheck authentication tokens:

* Authentication tokens do not expire. However, tokens can be invalidated in order to revoke access to other API calls.
* Anyone with access to your authentication token can access your KarmaCheck data. Store these tokens as securely as possible and avoid placing them in shared codebases.

## Authenticate an API request

For all requests to the KarmaCheck API, set the `Authorization` header with the value `Bearer AUTHENTICATION_TOKEN`, replacing `AUTHENTICATION_TOKEN` with the authentication token that you created. Do *not* attempt to pass the authentication token in the query string (in other words, the URL).

```bash theme={null}
curl --request GET \
  --url https://api-stage.karmacheck.io/case/list \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer AUTHENTICATION_TOKEN'
```
