Authentication
Authenticate every data request with an API key.
All data endpoints require an API key. Create and manage keys in the dashboard.
Sending your key
Two equivalent options — pick one:
curl "https://api.extractr.dev/spotify/search?q=daft+punk&type=track" \
-H "X-API-Key: ext_live_YOUR_KEY"Key format
Secret keys look like:
ext_live_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0- The
ext_live_prefix is followed by 40 hex characters. - The full secret is returned exactly once, when the key is created. Only a display prefix (e.g.
ext_live_a1b2) is stored — if you lose the secret, create a new key.
Revoking and rotating
Revoke a key any time from the dashboard; it stops working immediately. To rotate without downtime:
- Create a new key.
- Deploy the new key to your services.
- Revoke the old key.
Keys carry no per-key limits — usage and billing are per account — so you can freely create one key per service or environment.
Keep keys server-side
Never ship an API key in client-side code. Anyone with the key can spend your credits. Proxy extractr calls through your backend.
Failure modes
| Situation | Status | Code |
|---|---|---|
| No key supplied | 401 | unauthorized |
| Key malformed, revoked or unknown | 401 | invalid_api_key |
See Errors for the response shape.