> ## Documentation Index
> Fetch the complete documentation index at: https://docs.clearpolicy.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate with the ClearPolicy API

> Learn how to create an API token and authenticate each request to the ClearPolicy REST API.

The ClearPolicy API uses bearer tokens for authentication. Every request must include a valid API token in the `Authorization` header. Tokens are tied to the organization where they were created, so the token you use determines which organization's data is returned.

## Create an API token

Organization owners and administrators can create API tokens in ClearPolicy.

<Steps>
  <Step title="Open API settings">
    In the ClearPolicy dashboard, go to **Settings -> API**.
  </Step>

  <Step title="Create a token">
    Click **Create API Token**. Give the token a clear name, such as `Reporting automation`, so your team knows where it is used.
  </Step>

  <Step title="Copy the bearer token">
    Copy the token when ClearPolicy shows it. You will not be able to view the full token again after you close the dialog.
  </Step>

  <Step title="Store it securely">
    Save the token in your password manager, secrets manager, or integration settings. Do not share it in email, chat, or public code.
  </Step>
</Steps>

## Pass the token in requests

Include the token in the `Authorization` header of every API request:

```http theme={null}
Authorization: Bearer YOUR_ACCESS_TOKEN
```

Example request using the token:

```bash theme={null}
curl https://api.clearpolicy.app/api/v1/me \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
```

## Error responses

| Status             | Meaning                                                             |
| ------------------ | ------------------------------------------------------------------- |
| `401 Unauthorized` | The token is missing, expired, or invalid.                          |
| `403 Forbidden`    | The token is valid but lacks permission for the requested resource. |

<Note>
  Tokens are organization-scoped. All API responses reflect the organization where the token was created.
</Note>

<Note>
  API access also follows the team member's ClearPolicy role. Owners and administrators can create and manage API tokens. Tokens tied to a Group Manager can confirm the token with `GET /me`, but people, documents, and attestation request endpoints return `403 Forbidden`.
</Note>

## Revoke a token

Go to **Settings -> API** to review active API tokens. You can see who created each token, when it was created, when it was last used, and when it expires. Click **Revoke** to remove access for a token you no longer need.
