API Authentication
All API requests require authentication using an API key. Learn how to create and manage your keys securely.
Getting an API Key
Using Your API Key
Include your API key in every request using one of these methods:
Header Authentication (Recommended)
Pass your API key in the x-api-key header. This is the recommended method as it keeps your key out of URLs and logs.
curl -X GET "https://api.scrapebadger.com/v1/twitter/users/elonmusk/by_username" \ -H "x-api-key: sb_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Query Parameter
Alternatively, pass your API key as a query parameter. Note that this method may expose your key in logs and browser history.
curl -X GET "https://api.scrapebadger.com/v1/twitter/users/elonmusk/by_username?api_key=sb_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Error Responses
If authentication fails, the API returns a 401 or 403 status code:
Missing or invalid API key. Check that you're including the key correctly.
Insufficient credits. Purchase more credits to continue making requests.
API key is disabled or account is restricted. Contact support if you believe this is an error.
Error Response Format
{
"detail": "Invalid or missing API key"
}Security Best Practices
Never expose keys in client-side code
API keys should only be used in server-side code. Never include them in frontend JavaScript, mobile apps, or public repositories.
Use separate keys for different environments
Create separate API keys for development, staging, and production. This makes it easier to rotate keys and track usage.
Rotate keys regularly
Periodically create new API keys and deactivate old ones. If a key is compromised, you can disable it without affecting other keys.
Managing API Keys
From your dashboard, you can:
- Create multiple API keys for different projects
- Rename keys for easier identification
- Enable or disable keys without deleting them
- View usage statistics per key
- Delete keys that are no longer needed