# Authentication

{% hint style="info" %}
The API endpoints require a `subdomain` in the path. The subdomain is last part of a community url. 

For example in <https://zealy.io/cw/join> the subdomain is **join**
{% endhint %}

{% hint style="warning" %}
Some endpoints use the [ api-v1.zealy.io](https://api-v1.zealy.io) domain and not the [api-v2.zealy.io](https://api-v2.zealy.io)
{% endhint %}

The Zealy API uses API keys to authenticate requests. You can view and manage your API keys in the settings of your community.

Your API keys carry many privileges, so be sure to keep them secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.

All API requests must be made over [HTTPS](http://en.wikipedia.org/wiki/HTTP_Secure). Calls made over plain HTTP will fail. API requests without authentication will also fail.

During the API key creation process, you need to define the scope of access for each key: either 'read-only', which can only access GET endpoints or 'read/write' that have full access to all available endpoints. Choose the level that best suits the needs of your application or integration, bearing in mind the principle of least privilege to minimize potential security risks.

The API key needs to be forwarded in the `x-api-key` header. Here is an example with axios in NodeJs.

```javascript
await axios.get(
 "https://api-v2.zealy.io/api/communities/join/users/d353db69-137f-41df-b5f3-7b1d1e3d52bb",
  {
   headers: {
    "x-api-key": "c9b27evEJqYf1lvvU7ADFHHwiso"
   }
  })

```