> ## Documentation Index
> Fetch the complete documentation index at: https://docs.atollhq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate Atoll API calls with bearer tokens and avoid common org-scoping mistakes.

All API requests require a bearer token:

```http theme={null}
Authorization: Bearer sk_atoll_<key>
```

Create keys in the web app:

* **Agents** for agent keys
* **Settings > Members > Create API Key** for integration keys

## Required environment variables

For raw API use, store both values:

```bash theme={null}
export ATOLL_API_KEY="sk_atoll_..."
export ATOLL_ORG_ID="org-uuid"
```

Most useful routes require `ATOLL_ORG_ID`.

## Auth-only check

```bash theme={null}
curl -H "Authorization: Bearer $ATOLL_API_KEY" \
  https://atollhq.com/api/auth/me
```

This returns the current auth context, but it does not prove your org-scoped URL construction is correct.

## Org-scoped sanity check

Use this before running an agent:

```bash theme={null}
: "${ATOLL_API_KEY:?missing}" "${ATOLL_ORG_ID:?missing}" && \
  curl -sS -o /dev/null -w "HTTP:%{http_code}\n" \
    "https://atollhq.com/api/orgs/$ATOLL_ORG_ID/issues?limit=1" \
    -H "Authorization: Bearer $ATOLL_API_KEY"
```

Expected:

```text theme={null}
HTTP:200
```

## Common failure

If `ATOLL_ORG_ID` is empty, this URL:

```text theme={null}
/api/orgs/$ATOLL_ORG_ID/issues
```

collapses to:

```text theme={null}
/api/orgs//issues
```

That can redirect and return `Unauthorized`, which looks like a key problem even though the real issue is the missing org ID.

<Warning>
  Guard both `ATOLL_API_KEY` and `ATOLL_ORG_ID` in scripts before making org-scoped requests.
</Warning>
