# Authentication

All requests must include a valid API key in the `X-API-KEY` request header:


```http
GET /customers HTTP/1.1
Host: api.yogobooking.com
X-API-KEY: your_api_key_here
```

API keys are issued per client. All keys belonging to the same client share
the same rate-limit quota and the same data scope — a request authenticated
with any key for client X can only see data belonging to client X.

## Errors

| Status | Meaning |
|  --- | --- |
| `401` | Missing or invalid `X-API-KEY`. |
| `403` | API key is valid but the client's plan doesn't include API access. See [plan requirements](/guides/getting-started#plan-requirements). |