---
title: "Authentication"
description: "Use secret keys server-side and publishable keys in browser widgets."
---

# Authentication

Entrega uses bearer tokens. Send the key in the `Authorization` header.

```http
Authorization: Bearer sk_live_...
```

## Key types

| Key | Prefix | Where to use it |
| --- | --- | --- |
| Secret key | `sk_live_` | Server-to-server Core API requests. |
| Publishable key | `pk_live_` | Browser-side Widget API requests from allowed origins. |

## Server-side example

```bash
curl https://entrega.ao/v1/couriers \
  -H "Authorization: Bearer $ENTREGA_SECRET_KEY"
```

## Browser widget example

```js
await fetch("https://entrega.ao/v1/widget/quotes", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${publishableKey}`,
    "Content-Type": "application/json"
  },
  body: JSON.stringify({origin, destination, parcel})
})
```

## Origin allow-list

Publishable keys are checked against your configured origins. Configure origins in the dashboard, for example:

- `https://loja.ao`
- `https://checkout.loja.ao`
- `http://localhost:3000`
- `https://*.loja.ao`

## Error responses

Missing, invalid, or wrong-surface keys return a problem response with `401` or `403`.

```json
{
  "type": "https://api.entrega.ao/errors/unauthorized",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Missing or invalid API key"
}
```