Skip to main content

API Key Authentication

All requests to our API must include an API key in the headers: 
headers: {
'x-api-key': 'your-api-key-here'
}

Domain-Based Access Control

The API implements domain-based CORS protection:
  1. Each API key is associated with specific allowed domains
  2. Requests must include both the API key and origin header
  3. The system validates that the origin is allowed for the provided API key
  4. If validated, appropriate CORS headers are set for the response

Rate Limiting

To protect our services, we implement Redis-based rate limiting:
  • Default limit: 40 requests per time window
  • Block duration: 12 seconds
  • Rate limits are tracked per IP address
  • Special bypass for trusted API keys

Special Access

For special access please contact the founding team.

Best Practices

  1. Implement proper error handling for rate limit responses (429 status)
  2. Setup the correct cors settings for the given api key

Error Responses

The API may return the following authentication-related errors:
  • 401: Missing or invalid API key
  • 403: Unauthorized domain
  • 429: Rate limit exceeded
For implementation examples, refer to our SDK Introduction guide.