# API Key and Authentication

To access the Tomba.io API, you must authenticate every request using a unique **API key** and **secret**. These credentials are required for all endpoints and ensure that your usage is tracked correctly.

> **Important:** Your API key and secret identify your account. Keep them safe. Do not share them publicly or embed them in frontend code.

You can generate, regenerate, or revoke your API keys at any time from your [API Keys 🔑 ](https://app.tomba.io/api).

## Required Authentication Headers

Include the following headers in every request:

| Field   | Header Name      | Location |
| ------- | ---------------- | -------- |
| API Key | `X-Tomba-Key`    | `header` |
| Secret  | `X-Tomba-Secret` | `header` |

Example usage in `curl`:

```bash
curl -X GET "https://api.tomba.io/v1/domain-search?domain=example.com" \
     -H "X-Tomba-Key: your_api_key" \
     -H "X-Tomba-Secret: your_secret_key"
```

Example usage in JavaScript:

```javascript
const response = await fetch("https://api.tomba.io/v1/domain-search?domain=example.com", {
     headers: {
          "X-Tomba-Key": "your_api_key",
          "X-Tomba-Secret": "your_secret_key",
     },
});

const data = await response.json();
console.log(data);
```

Example usage in Python:

```python
import requests

response = requests.get(
          "https://api.tomba.io/v1/domain-search",
          params={"domain": "example.com"},
          headers={
                    "X-Tomba-Key": "your_api_key",
                    "X-Tomba-Secret": "your_secret_key",
          },
)

print(response.json())
```