> ## Documentation Index
> Fetch the complete documentation index at: https://docs.spote.cloud/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate with the Spote API

> Authenticate Spote API and MCP requests by passing a Personal Access Token as a Bearer token in the Authorization header on every request.

Every Spote API request must include an `Authorization` header with your Personal Access Token (PAT). Tokens start with `spote_` and are generated from your Settings page. The raw token value is shown only once at creation time — the server stores only a hashed representation.

## Getting a token

Generate a Personal Access Token from your Spote Settings page. See [Personal Access Tokens](/guides/personal-access-tokens) for a step-by-step guide.

## Using the token

Pass the token as a Bearer token in the `Authorization` header of every request:

```bash theme={null}
curl https://your-spote-app.com/api/notes \
  -H "Authorization: Bearer spote_YOUR_TOKEN_HERE"
```

## Token format

Tokens follow the format `spote_<32 hex characters>`:

```
spote_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
```

Each token value is unique and cryptographically random. Spote stores only a secure hash of the token — never the raw value.

## Error responses

| Status           | Description                                                            |
| ---------------- | ---------------------------------------------------------------------- |
| 401 Unauthorized | The `Authorization` header is missing or the token is invalid.         |
| 403 Forbidden    | The token is valid but does not have access to the requested resource. |

<Warning>
  Tokens are shown only once when generated. If you lose a token, revoke it and create a new one.
</Warning>
