> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dema.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to obtain API keys and authenticate your requests to the Dema's GraphQL API.

## Getting an API Key

<Note>
  API access is not enabled by default. To get started, reach out to your
  Customer Success team to have API access enabled for your account.
</Note>

To access the GraphQL API, users must obtain an API key from their Dema account settings. Follow these steps:

1. Navigate to **Settings** in the Dema Application.
2. Locate the **API Keys** section.
3. Generate an API key and configure its expiration and scopes/access level.
4. Copy the generated API key for use in your requests. (**Note:** The API key is only visible once when it is generated. If you lose it, you will need to generate a new one.)

## Using Your API Key

Authentication is required for all requests and must be passed via the `Authorization` header:

```
Authorization: Bearer API_KEY
```

### Example Request

Here's how to include the key in a cURL request:

```bash theme={null}
curl -X POST https://api.dema.ai/graphql \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{
    "query": "query OrganizationInfoQuery { account { id name } }"
  }'
```

<Warning>
  Keep your API keys secure and never expose them in client-side code or public
  repositories. Treat API keys like passwords—rotate them regularly and revoke
  any keys that may have been compromised.
</Warning>

## Best Practices

* **Setting expiration**: When the API usage is limited to a specific time frame, it's a good idea to set an expiration date, to avoid forever lasting API keys.
* **Scopes**: Set appropriate access levels/scopes for each key, and avoid granting more access than necessary.
* **Revocation**: Immediately revoke any tokens that may have been exposed or compromised, this can be done in the API key settings by either deactivating the key or deleting it.

## API key policies

* Any updates to API key configuration like status changes (active/inactive), last usage, expiration, or scope changes are reflected in real usage after a few minutes.
* API keys are automatically removed if they are inactive and there hasn't been any activity on them in the last 60 days.
* API keys are removed 7 days after they expire.
