# Authentication

The API uses header-based authentication. All webhook management requests require authentication headers.

## Authentication method

```http
X-Joy-Loyalty-App-Key: your_app_key_here
X-Joy-Loyalty-Secret-Key: your_secret_key_here
```

{% hint style="warning" %}
You can retrieve these credentials from your Joy Loyalty app settings page in the Shopify admin.
{% endhint %}

## Authentication rules

* `X-Joy-Loyalty-Secret-Key` is **always required**
* `X-Joy-Loyalty-App-Key` is **required**

## Authentication example

```bash
curl -X GET "https://joy.avada.io/app/api/v1/webhooks" \
  -H "X-Joy-Loyalty-App-Key: your_app_key" \
  -H "X-Joy-Loyalty-Secret-Key: your_secret_key" \
  -H "Content-Type: application/json"
```

## Response format

All API responses follow a consistent envelope structure:

### Success response

```json
{
  "success": true,
  "webhooks": [], 
  "webhook": {}, 
  "timestamp": "2024-01-15T10:30:00.000Z"
}
```

### Error response

```json
{
  "success": false,
  "error": "Resource not found",
  "timestamp": "2024-01-15T10:30:00.000Z"
}
```