> ## Documentation Index
> Fetch the complete documentation index at: https://docs.argalabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate requests to the Arga API

All public API requests use a bearer token:

```bash theme={null}
Authorization: Bearer <token>
```

Use an Arga API key for server-to-server calls. You can create one from **Settings -> API Keys** in the web app or by running `arga login` from the CLI.

| Token type | Typical use                                    | Notes                                                                                                    |
| ---------- | ---------------------------------------------- | -------------------------------------------------------------------------------------------------------- |
| API key    | SDKs, CI jobs, scripts, local tools            | Starts with `arga_sk_`. Accepted by the public endpoints in this reference unless a page says otherwise. |
| JWT        | Web app sessions and user-scoped browser flows | Returned by the app auth flow. Some GitHub configuration endpoints require a user session.               |

The API base URL is:

```text theme={null}
https://api.argalabs.com
```

## One account per email

Each email address can only be linked to a single Arga account. Emails are normalized (trimmed and lowercased) before comparison.

Endpoints that touch identity return a `409` when this rule is violated:

| Endpoint                                        | Trigger                                                                                           | Response                                                                                                                               |
| ----------------------------------------------- | ------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| `POST /auth/email-verification/request`         | The submitted email is already linked to another account.                                         | `409` with detail `Only one account can use an email address. This email is already linked to another account.`                        |
| `POST /auth/email-verification/verify`          | The submitted email is already linked to another account.                                         | `409` with the same detail as above.                                                                                                   |
| `POST /auth/email/signup`                       | An account already exists with the submitted email (verified or not).                             | `409`                                                                                                                                  |
| `GET /auth/github/callback` (purpose `login`)   | The GitHub account or the email returned by GitHub is already linked to a different Arga account. | Redirect to the web app login page with `error=github_identity_already_linked` and a `detail` query parameter describing the conflict. |
| `GET /auth/github/callback` (purpose `connect`) | The GitHub account or its email is already linked to a different Arga account.                    | Redirect to `/integrations` with `error=github_identity_already_linked` and a `detail` query parameter.                                |

When the GitHub-returned email matches an existing email-only Arga account that has not yet linked a GitHub identity, the GitHub callback links GitHub to that existing account instead of creating a duplicate.