title: 'Authentication' sidebar_label: 'Authentication' sidebar_position: 3 desired_sidebar: api description: 'Authentication documentation' pagination_prev: null pagination_next: null tags:
Spice supports adding optional authentication to its API endpoints via configurable API keys.
Use the auth section as a child to runtime to provide the API keys. Multiple API keys can be specified, and any of the keys can be used to authenticate requests.
To learn more about secrets, see Secret Stores.
:::info
The API key authentication is applied on startup and changes will not take effect until the runtime is restarted.
:::
For HTTP routes, the API key is expected to be included in the X-API-Key header.
The /health and /v1/ready endpoints are not protected and can be accessed without an API key.
For the Flight SQL endpoint, the API key is expected to be included in the Authorization header as a Bearer token, i.e. Authorization: Bearer ${ api_key }.
When API key authentication is enabled, the Spice CLI can connect to the runtime by specifying the --api-key argument.
