> ## Documentation Index
> Fetch the complete documentation index at: https://developer.hellgate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate to your Guardian instance with an API key, and the scopes that gate each endpoint.

Every Guardian API request is authenticated with an **API key**, sent in the `x-api-key` header:

```http theme={null}
x-api-key: <your_api_key>
```

Keys are issued per instance. Administrative operations may also use an admin token (`x-admin-token`). See
[API Information](/products/guardian/api-reference/getting-started#authentication) for the full authentication
reference and your instance URL.

## Scopes

Each API key carries a set of **scopes** that gate the endpoints it can call. Grant only the scopes an
integration needs — follow the principle of least privilege.

### Token operations

| Scope                       | Grants                                                                                                     |
| --------------------------- | ---------------------------------------------------------------------------------------------------------- |
| `pci:tokens:create`         | `POST /api/pci/tokens`                                                                                     |
| `pci:tokens:read`           | `GET /api/pci/tokens`<br />`GET /api/pci/tokens/{id}`<br />`GET /api/pci/tokens/{id}/security-code`        |
| `pci:tokens:update`         | `POST /api/pci/tokens/{id}/security-code`<br />`DELETE /api/pci/tokens/{id}/security-code`                 |
| `pci:tokens:delete`         | `DELETE /api/pci/tokens/{id}`                                                                              |
| `pci:tokens:forward`        | `POST /api/pci/tokens/{id}/forward`                                                                        |
| `generic:tokens:create`     | `POST /api/generic/tokens`                                                                                 |
| `generic:tokens:read`       | `GET /api/generic/tokens`<br />`GET /api/generic/tokens/{id}`<br />`GET /api/generic/tokens/{id}/payload`  |
| `generic:tokens:delete`     | `DELETE /api/generic/tokens/{id}`                                                                          |
| `network:tokens:create`     | `POST /api/network/tokens`                                                                                 |
| `network:tokens:read`       | `GET /api/network/tokens`<br />`GET /api/network/tokens/{id}`<br />`GET /api/network/tokens/{id}/card-art` |
| `network:tokens:delete`     | `DELETE /api/network/tokens/{id}`                                                                          |
| `network:tokens:use`        | `POST /api/network/tokens/{id}/cryptograms`                                                                |
| `network:tokens:forward`    | `POST /api/network/tokens/{id}/forward`                                                                    |
| `metadata:inquiries:create` | `POST /api/metadata/inquiries`                                                                             |

<Note>
  `network:tokens:*` requires the **Network Tokens** add-on, and `metadata:inquiries:create` requires the
  **Metadata Inquiries** add-on, enabled on your instance. See [Plans & Access](/products/guardian/plans-and-access).
</Note>

### Administrative operations

Administrative endpoints manage the instance itself. They require a key (or admin token) carrying the relevant
`admin:*` scope.

| Scope                   | Grants                                                        |
| ----------------------- | ------------------------------------------------------------- |
| `admin:api-keys:create` | `POST /api/admin/api-keys`                                    |
| `admin:api-keys:read`   | `GET /api/admin/api-keys`<br />`GET /api/admin/api-keys/{id}` |
| `admin:api-keys:update` | `PATCH /api/admin/api-keys/{id}`                              |
| `admin:api-keys:delete` | `DELETE /api/admin/api-keys/{id}`                             |
| `admin:webhooks:create` | `POST /api/admin/webhooks`                                    |
| `admin:webhooks:read`   | `GET /api/admin/webhooks`<br />`GET /api/admin/webhooks/{id}` |
| `admin:webhooks:delete` | `DELETE /api/admin/webhooks/{id}`                             |
| `admin:types:create`    | `POST /api/admin/types`                                       |
| `admin:types:read`      | `GET /api/admin/types`<br />`GET /api/admin/types/{id}`       |
| `admin:types:delete`    | `DELETE /api/admin/types/{id}`                                |
| `admin:imports:create`  | `POST /api/admin/imports`                                     |
| `admin:imports:read`    | `GET /api/admin/imports/{id}`                                 |
| `admin:imports:cancel`  | `POST /api/admin/imports/{id}/cancel`                         |

## Next steps

<Card title="API Keys" icon="key" href="/products/guardian/management/api-keys">
  Create and manage the API keys that carry these scopes.
</Card>
