# Authentication

Authentication for the Quinyx SOAP API uses a per-unit **API key** sent as a parameter on every operation request. There is no token exchange and no OAuth flow — the API key alone identifies the calling unit and authorizes the operation.

## Get your API key

The API key is a unique string used to identify which unit the call is made for. A unit is an organizational entity in Quinyx WFM such as a store or restaurant. Use the **main unit's** API key to fetch all other API keys, as those are needed to fetch unit-specific data.

API keys are accessible through *Account settings → Integrations API-keys → selected Unit/Section*. The main unit API-key is found by selecting the **Domain** API-key.

API keys are case sensitive and you should treat them as very sensitive security items.

![Integrations API-keys page in Account settings](/assets/api-keys.3782ee672fea9ea66e037a9fdc2e455f8702321c6d0510c67cc1c36e151b4792.4303c6d8.png)

This is only available to account managers with access to account settings and integration credentials.

## Send the API key

The API key is sent as a parameter on every operation request:

```xml
<ns1:apiKey>YOUR_API_KEY_HERE</ns1:apiKey>
```

The parameter is mandatory — operations that don't carry a valid API key are rejected.

Never share API keys or sample requests containing API keys.

## IP address lockout (allowlisting)

We recommend organizations limit which IP addresses can access Quinyx Web Services for their data, in order to import or export data for their units. If you are repeatedly receiving HTTP `Error 401 Unauthorized` in your testing, please check with your Quinyx application administrator if an IP lockout has been imposed.