> ## Documentation Index
> Fetch the complete documentation index at: https://dev.smile.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

The Smile API uses [HTTP Bearer Authentication](https://swagger.io/docs/specification/authentication/bearer-authentication/) (also known as token authentication) to authenticate requests. API requests are always made on behalf of a specific store/merchant/account, however the bearer value you supply depends on the entity that is making the API request:

* **Merchants -** Use an [API key](https://help.smile.io/en/articles/11328240-manage-your-api-keys).
* **Apps -** Use the `OAuth Access Token` you received after the merchant completed OAuth.

Once you've located your token value, supply it within an `Authorization` header of the request.

These secret keys and tokens carry many privileges, so be sure to keep them a safe. Do not use or include them in publicly accessible areas such as mobile application binaries, client-side code, or in GitHub repositories. Only make API calls that include these secrets from secured backend code.

All API requests must be made over HTTPS.

<RequestExample>
  ```bash API key theme={null}
  curl --location 'https://api.smile.io/v1/' \
    --header 'Authorization: Bearer api_cnzGMghxTmPzK1sp' \
  ```

  ```bash OAuth Access Token theme={null}
  curl --location 'https://api.smile.io/v1/' \
    --header 'Authorization: Bearer oa2_qz8mD1JdFwMgDd4o' \
  ```
</RequestExample>
