# Authentication

The Whaly API uses Service Account Secret Keys to authenticate requests. You can view and manage your Secret keys in your Whaly settings panel.

Secret keys have the prefix `sk` . In order to grant proper access control to your Secret Keys, you should manage the roles and sharings of the attached Service Account.

{% hint style="warning" %}
Your Secret keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.
{% endhint %}

Authentication to the API is performed via **HTTP Bearer Auth**. Provide your Secret key as the Bearer value in your Authorization header.

Example of curl option would be `-H "Authorization: Bearer sk:4eC39HqLyjWDarjtT1zdp7dc"` 

All API requests must be made over [HTTPS](http://en.wikipedia.org/wiki/HTTP_Secure). Calls made over plain HTTP will fail. API requests without authentication will also fail.