1  # Security
 2  
 3  The default implementation of an API service runs via HTTP and is fully open. If the service is being run as a prototype on an internal network, that may be fine. In most scenarios, the connection should at least be encrypted. Authorization is another built-in feature that requires a valid API token with each request. See below for more.
 4  
 5  ## HTTPS
 6  
 7  The default API service command starts a Uvicorn server as a HTTP service on port 8000. To run a HTTPS service, consider the following options.
 8  
 9  - [TLS Proxy Server](https://fastapi.tiangolo.com/deployment/https/). *Recommended choice*. With this configuration, the txtai API service runs as a HTTP service only accessible on the localhost/local network. The proxy server handles all encryption and redirects requests to local services. See this [example configuration](https://www.uvicorn.org/deployment/#running-behind-nginx) for more.
10  
11  - [Uvicorn SSL Certificate](https://www.uvicorn.org/deployment/). Another option is setting the SSL certificate on the Uvicorn service. This works in simple situations but gets complex when hosting multiple txtai or other related services.
12  
13  ## Authorization
14  
15  Authorization requires a valid API token with each API request. This token is sent as a HTTP `Authorization` header. 
16  
17  *Server*
18  ```bash
19  CONFIG=config.yml TOKEN=<sha256 encoded token> uvicorn "txtai.api:app"
20  ```
21  
22  *Client*
23  ```bash
24  curl \
25    -X POST "http://localhost:8000/workflow" \
26    -H "Content-Type: application/json" \
27    -H "Authorization: Bearer <token>" \ 
28    -d '{"name":"sumfrench", "elements": ["https://github.com/neuml/txtai"]}'
29  ```
30  
31  It's important to note that HTTPS **must** be enabled using one of the methods mentioned above. Otherwise, tokens will be exchanged as clear text. 
32  
33  Authentication and Authorization can be fully customized. See the [dependencies](../customization#dependencies) section for more.