> ## Documentation Index
> Fetch the complete documentation index at: https://documentation.qonversion.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the Qonversion REST API v4

The Qonversion REST API v4 uses Bearer token authentication.

## Secret Key

**All v4 public endpoints require a Secret Key.** Unlike v3, which mixed SDK-level access tokens with privileged server keys, v4 exposes only the server-to-server surface — so a single token type is used for every operation, from reads to privileged mutations (granting entitlements, managing products, experiment overrides, rotating credentials).

* Prefixed with `sk_`
* Found in **Project settings** in the [Qonversion dashboard](https://dash.qonversion.io)
* Passed as `Authorization: Bearer sk_…`

```bash theme={null}
curl --request GET \
  --url https://api.qonversion.io/v4/users/{user_id} \
  --header 'Authorization: Bearer sk_YOUR_SECRET_KEY' \
  --header 'Content-Type: application/json'
```

<Warning>
  The Secret Key should only be stored on your server. **Never use the Secret Key in Android, iOS, or web apps.** Client apps authenticate through the Qonversion SDK, which uses a separate SDK-level token — not the public REST API v4.
</Warning>

## Sandbox vs production

Use a test-prefixed token to target the sandbox environment:

```
Authorization: Bearer test_sk_…  → sandbox
Authorization: Bearer sk_…       → production
```

The API behaves identically in both environments; data is isolated.

## Error codes

| Status | Error code             | When                                                              |
| ------ | ---------------------- | ----------------------------------------------------------------- |
| 401    | `control_unauthorized` | Missing or invalid Bearer token                                   |
| 403    | `control_forbidden`    | Valid token, insufficient permissions for the requested operation |

See [Handling Errors](/reference/v4/handling-api-errors) for the full error envelope.

## Coming from v3?

In v3 some endpoints accepted a non-secret **Project Key** (SDK-level access token) — for example, reading users or creating purchases. In v4 those endpoints live only on the server-to-server surface and require a **Secret Key**. Client SDKs continue to use their own access token and do not call the v4 public API directly.
