# Authentication

https://api-docs.lumar.io/docs/graphql/authentication

An unauthenticated user can use only a handful of public mutations and queries. To gain more access, session token needs to be created and used.

### Creating API user key

To generate API user key you can do that at  or after logging into API you can use GraphQL API.

**How to generate API user key token and secret**


```graphql
mutation GenerateUserKey {
  createUserKey {
    id
    secret
  }
}
```

**Response:**
```json
{
  "data": {
    "createUserKey": {
      "id": "TjAwN1VzZXJLZXkxMzI",
      "secret": "2199800d3dabcda4f96a36f0e410ec096aa5f1b59cad10b082cf779edff8541495245300"
    }
  }
}
```

You can also use [Lumar CLI](/docs/cli.md#oreo-user-key-create) to generate API user key.

### Obtain session token using API user key and secret token

**How to login using API user key and secret token**


```graphql
mutation LoginWithUserKey($secret: String!, $userKeyId: ObjectID!) {
  createSessionUsingUserKey(input: { userKeyId: $userKeyId, secret: $secret }) {
    token
  }
}
```

**Variables:**
```json
{
  "userKeyId": 130,
  "userKeyId": "TjAwN1VzZXJLZXkxMzA",
  "secret": "Zp8FxbFEri-hU1iE5_9n4890c0TxmCkNIetdz0CvPpEQA-cWg1NErxIMXBnEvRHU1xH1e3qC"
}
```

**Response:**
```json
{
  "data": {
    "createSessionUsingUserKey": {
      "token": "81372d5bd83919e791be3fe06cdf2b7e760eebe525b3f4f2a8c1a856fc4ea935e14331eb235e7b972d66037e22a4ac7009d9a2d1ff414a751fe29b425c449d00"
    }
  }
}
```

### Using session token

After signing in you will receive session token that will be valid for 30 days.
To authenticate requests to the API send session token in HTTP header `x-auth-token` value.

```bash
curl -H "x-auth-token: <session token>" -XPOST https://api.lumar.io/graphql -H "Content-Type: application/json" --data-raw '{"query": "{version}"}'
```

Passing invalid session token will result in 401 error.

### Service Accounts

For programmatic access without user credentials (e.g., CI/CD pipelines, server-to-server communication), you can use [Service Accounts](/docs/graphql/service-accounts.md). Service accounts authenticate using an API key passed in the `x-api-key` header:

```bash
curl -H "x-api-key: lmr_sa_123_your-secret-key" -XPOST https://api.lumar.io/graphql -H "Content-Type: application/json" --data-raw '{"query": "{version}"}'
```

See the [Service Accounts guide](/docs/graphql/service-accounts.md) for details on creating and managing service accounts.