# Authentication

All requests to the Testpad API must include the Authorization HTTP Header that supplies an API access token for your account.

<br>

**HTTP Header**
<br>
<br>


The `Authorization` header value must have the format: `Authorization: apikey <TOKEN>`

The token must be preceded by the prefix `apikey` to be considered a valid authorization value. It is envisaged that alternative authorization schemes may be added in the future, and these would be differentiated with a different prefix.

<br>

**API Access Token**
<br>
<br>

Create and manage API Access Tokens on the API settings page in the Testpad app (account Owners only).

The API settings page is found in the Settings section of the navigation links in the bottom left of the main project view.

If you cannot see a link to API settings (and you are an Owner-type user), then your account probably has not yet been enabled for API access – please contact support@testpad.com to request access.

Security notes:

- Tokens are 3072-bit random numbers encoded as a 48-character case-sensitive string.  
- Tokens are generated by Testpad using a cryptographically-strong random number generator.
- An account may generate and make use of multiple tokens, e.g. to give different teams different tokens.
- For now, the API is secured with tokens that grant access to all API capabilities and across all projects. It is expected that more fine-grained control such as role-specific and project-specific access keys will be supported in the future.