<!-- canonical: https://docs.costplus.io/docs/getting-started/authentication -->

> Learn how to authenticate with the Cost+ API
All communication with the Cost+ API requires **TLS 1.2 or higher** and **HTTP Basic Authentication**.

## How Basic Auth Works

Authenticate by using your **API key as the username** with an **empty password**. Base64-encode the string `\{api_key\}:` (note the trailing colon — the password is empty).

The resulting `Authorization` header looks like this:

```
Authorization: Basic aHVudGVyMjo=
```

> [!WARNING]
> Never expose your API key in client-side code or public repositories. Keep it server-side only.

## Using cURL

### Out-of-the-box (recommended)

cURL natively supports Basic Auth with the `-u` flag. Pass your API key followed by a colon:

```bash title="cURL with -u flag"
curl -u YOUR_API_KEY: https://api.costplus.online/v1/orders/
```

### Manual Base64 encoding

If you prefer to construct the header yourself, first encode the key:

```bash title="Encode the API key"
echo -n "YOUR_API_KEY:" | base64
```

Then pass the encoded value in the `Authorization` header:

```bash title="cURL with manual Authorization header"
curl -H "Authorization: Basic YOUR_BASE64_ENCODED_KEY" https://api.costplus.online/v1/orders/
```

> [!TIP]
> The trailing colon after the API key is required — it separates the username from the (empty) password in the Basic Auth scheme.

## HTTP Status Codes

The API uses standard HTTP status codes to indicate the result of a request.

| Status Code | Meaning | Description |
|---|---|---|
| **200** | OK | Request succeeded. |
| **201** | Created | Resource was successfully created. |
| **400** | Bad Request | The request was malformed or missing required fields. |
| **401** | Unauthorized | Authentication failed — check your API key. |
| **403** | Forbidden | You do not have permission to access this resource. |
| **404** | Not Found | The requested resource does not exist. |
| **500** | Internal Server Error | Something went wrong on our end. |
| **502** | Bad Gateway | Upstream service error. |
| **503** | Service Unavailable | The API is temporarily unavailable. |
| **504** | Gateway Timeout | The upstream service did not respond in time. |