# Authentication

The JFW API uses [Auth Keys](https://jframework.gitbook.io/developers/terms-definitions-abbreviations-and-regulations/definitions/authentication-key) to authenticate Protocol requests. You can obtain an Auth Key by either using [the JFW libraries](https://jframework.gitbook.io/developers/quick-start) or calling the following API endpoint:

{% openapi src="<https://448371851-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYugRKXdgv63rAmEctF7k%2Fuploads%2Fgit-blob-54cf67f78b7276fcd1e3e9f8f5b0e211c1813788%2Fjfw-api.json?alt=media>" path="/api/v1/users/auth" method="post" %}
[jfw-api.json](https://448371851-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FYugRKXdgv63rAmEctF7k%2Fuploads%2Fgit-blob-54cf67f78b7276fcd1e3e9f8f5b0e211c1813788%2Fjfw-api.json?alt=media)
{% endopenapi %}

After having the Auth Key, you have to put that Auth Key and [Brand URL](https://help.jframework.io/services/identity/brand/how-to-identify-a-brand) to your [HTTP request header](https://developer.mozilla.org/en-US/docs/Glossary/Request_header) to use other API endpoints.

```
Brand-URL: your-domain.com
Auth-Key: your-key-is-here
```

{% hint style="warning" %}
Instead of an API key, we use a combination of Brand-URL and Auth-Key to gain access to API endpoints. To access those API endpoints that need certain permissions, we must include Auth-Key, brandUrl, or both in the request body. These values may not match the ones in the request headers.
{% endhint %}

If you need to use the device access, add the key header **Device-Code** before using the device access feature.