# Authentication


**Version 1 is open and read-only — no API key or token is required.** Make `GET` requests
directly against `https://apis.io/api/v1`.

```bash
curl "https://apis.io/api/v1/search?q=sms"
```

This matches APIs.io's open-discovery mission: the catalog is public, and there is no endpoint that
mutates it.

## API-key-ready

The OpenAPI contract defines an `ApiKeyAuth` security scheme that is **not enforced** in v1. It is
declared so metering or higher rate tiers can be introduced later without a breaking change — if and
when keys are required, they'll be sent as a header and documented here.

## CORS

The API is served same-origin with `apis.io`, and responses are browser-friendly, so you can call it
directly from web apps and from the [agent surfaces](./mcp-server).