> ## Documentation Index
> Fetch the complete documentation index at: https://developer.usetyms.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Business API keys, partner keys, headers, and Developer API access requirements.

Most Adam Developer API routes use a **business API key** in a header. You pass a secret, and the server enforces **which business** (or **partner program**) the credential belongs to.

Building an integration app for **many** Tyms customers? Use [OAuth 2.0](/oauth) instead of asking each user for their business secret key.

## Two kinds of credentials

### Business secret key (`tyms_sk_...`)

Used for **every** `v1/adam` route **except** [Register business](/api-reference/register-business).

* Issued per business from the Adam app (**Settings** → **Business settings** → **API**).
* Grants access **only** to that business’s data.
* Public key (`tyms_pk_...`) is not used as the Bearer-style secret for these REST calls; integrations use the **secret** key.

### Partner API key (`adam_partner_sk_...` or equivalent)

Used **only** for **`POST /register-business`** (full URL under [Base URL](/introduction#base-url)).

* Issued when Adam onboards you as a **referral business partner** (distributor).
* Creates a **new** business and optionally returns that business’s Developer API keys when `grant_access` is `admin`.
* After registration, **stop** using the partner key for that customer’s day-to-day API calls — use the returned **`tyms_sk_...`** instead.

<Note>
  Partner **program** onboarding (admin registration, contract terms, commission or prepaid structures) is handled outside this reference. If you are integrating as a partner, complete Adam’s partner onboarding first so you receive partner credentials. Technical detail for **`POST /register-business`** is in the [API reference](/api-reference/register-business).
</Note>

## Accepted header names

Send the key in **any one** of these headers (same value):

* `X-API-Key`
* `api-key`
* `sk`

## Developer API subscription

On protected routes, the business must meet Adam’s **Developer API subscription** rules. If not, the API responds with **403 Forbidden** and an explanatory `message`.

## Validate a business key

To confirm a key and load business metadata, call **`GET /auth/validate`**. Request/response fields are documented on [Validate business](/api-reference/authentication).

## Security practices

* Store **`tyms_sk_...`** and partner secrets in a **secret manager** or environment variables — never in client-side code or public repos.
* Rotate keys from the Adam app if a secret is exposed.
* Prefer **TLS** only (`https://api.useadam.io`).

## Related reference

* [OAuth 2.0](/oauth) — third-party integration apps connecting Tyms users
* [API overview](/api-reference/overview) — errors, rate limits, UUID rules
* [Register business](/api-reference/register-business) — partner-only registration payload and response
