> ## Documentation Index
> Fetch the complete documentation index at: https://www.myhamlet.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate every request with a Bearer API key scoped to your entitlements.

## Authentication

Every endpoint under `/v1` is authenticated with an API key passed as a Bearer token:

```bash theme={null}
curl https://api.myhamlet.com/v1/locations \
  -H "Authorization: Bearer hmlt_your_api_key"
```

API keys are prefixed with `hmlt_` and are tied to your organization's
**entitlements** — the set of locations your key may read. Endpoints only ever return
data within those entitlements; anything outside them responds as if it does not exist
(a `404`), so resource existence is never leaked across organizations.

A missing, malformed, revoked, or unentitled key returns `401` with the standard error
envelope:

```json theme={null}
{
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid API key."
  }
}
```

<Note>
  `/health`, `/openapi.json`, and the docs are the only public, unauthenticated routes.
  Everything under `/v1` requires a key.
</Note>

Requests are also rate-limited per key — see [Rate limits](/rate-limits).
