# Authentication

You must make all API calls over [HTTPS](http://en.wikipedia.org/wiki/HTTP_Secure). Calls that you make over plain HTTP will fail. API requests without authentication will also fail.

**Where to find API keys**

The ***client\_id\_key*** and ***client\_secret\_key*** are found in the settings page which is accessible from the navigation bar if you have a paid account.

**Public API requests**

Public facing API requests (i.e. called with client-side requests) should have client\_id\_key set in the request headers.

```
client_id_key: 'ae3a42a7-8803-4d49-944a-2dfba8111b5a'
```

**Private API requests**

Private facing API requests (i.e. called within server-side requests) should have client\_id\_key ***and*** client\_secret\_key set in the request headers.

You should never expose the ***client\_secret\_key*** in publicly accessible areas such as GitHub, client-side code, and so forth. You can recycle your keys if you feel you have inadvertently exposed the keys at anytime.

```
client_id_key: 'ae3a42a7-8803-4d49-944a-2dfba8111b5a'
client_secret_key: 'be3b42b7-8803-4d49-944b-2dfbb8111b5b'
```

**Recycling keys**

The client\_id\_key and client\_secret\_key can be recycled in the settings page which is accessible from the navigation bar if you have a paid account. Make sure you update any code that has reference to the old keys to reflect the new keys.