Skip to main content

Authentication

Criffy public data integrations use a Bearer API key. Dashboard account actions use a signed-in session and are not part of the Bearer-auth data API.

1. Bearer API keys for public data

All public data endpoints under /api/v1/* require a Bearer API key and an active Pro+ subscription.
If the key is missing, invalid, revoked, or belongs to a non-Pro+ account, the API returns one of these shared errors:
  • invalid_api_key
  • subscription_required

2. Managing your key

Generate, rotate, or revoke your API key from the Criffy dashboard:
  1. Buy or upgrade to a Pro+ plan.
  2. Sign in to your account.
  3. Open Settings -> API.
  4. Manage the key and usage there.
Dashboard account flows are separate from the Bearer-auth public data API. External integrations should use the generated API key only as a Bearer token for public data endpoints.

Practical guidance

  • Use Bearer API keys for backend-to-backend access to public data.
  • Do not expose API keys in browser or mobile client code.
  • Store the plaintext key securely when it is created or regenerated. It is only shown once.
  • Rotate the key from Settings -> API if it is exposed.
  • Check current monthly usage from Settings -> API.
  • Use the dashboard for key management, and use Bearer authentication for external integrations.