Skip to main content

Overview

ManyPi uses API key authentication with Bearer tokens. All API requests must include a valid API key in the Authorization header.
API keys are tied to your account and provide access to all your scrapers. Keep them secure and never commit them to version control.

Getting your API key

1

Navigate to API Keys

Go to SettingsAPI Keys in your dashboard.
2

Create a new key

Click “Create API Key” and give it a descriptive name (e.g., “Production Server”, “Staging Environment”).
3

Copy and store securely

Copy the API key immediately - you won’t be able to see it again!
Store your API key securely. Never commit it to Git or share it publicly.

Making authenticated requests

Basic authentication

Include your API key in the Authorization header as a Bearer token:
cURL

Authentication format

  • Scheme: Bearer
  • Token: Your API key (no additional encoding needed)

Code examples


Environment variables

Store your API key in environment variables, never hardcode it:
.env
Add .env to your .gitignore file!

Authentication errors

401 Unauthorized

Cause: Missing or invalid API key
Solutions:
  • Check that the Authorization header is present
  • Verify the API key is correct (no extra spaces or characters)
  • Ensure the API key hasn’t been deleted or revoked
  • Confirm you’re using the Bearer scheme

403 Forbidden

Cause: Valid API key but insufficient permissions or credits
Solutions:
  • Check your credit balance in the dashboard
  • Purchase additional credits or upgrade your plan
  • Verify the scraper belongs to your account

Managing API keys

Creating multiple keys

Create separate API keys for different purposes:
Benefits:
  • Isolate rate limits (60 req/min per key)
  • Easier to rotate keys without downtime
  • Better security through separation
  • Track usage by service

Rotating API keys

1

Create new key

Generate a new API key in the dashboard with a descriptive name.
2

Update your application

Deploy the new key to your application (use blue-green deployment or rolling updates).
3

Monitor

Verify the new key is working correctly in production.
4

Revoke old key

Once confirmed, delete the old API key from the dashboard.
Rotate API keys regularly (every 90 days) as a security best practice.

Revoking compromised keys

If an API key is compromised:
  1. Immediately revoke the key in your dashboard
  2. Create a new key and update your application
  3. Review usage logs for any suspicious activity
  4. Monitor credits for unexpected consumption

Security best practices

.gitignore
Use environment variables or secret management services instead.
For production applications, use dedicated secret management:
  • AWS Secrets Manager
  • HashiCorp Vault
  • Azure Key Vault
  • Google Secret Manager
  • Doppler
  • 1Password Secrets Automation
Set up a rotation schedule:
  • Don’t log API keys
  • Don’t send keys in URLs or query parameters
  • Don’t include keys in client-side code
  • Use server-side proxies for browser applications
Track API key usage to detect anomalies:

Testing authentication

Verify your API key

Test your API key with a simple request:
Look for:
  • HTTP/1.1 200 OK - Authentication successful
  • HTTP/1.1 401 Unauthorized - Invalid API key
  • HTTP/1.1 403 Forbidden - Valid key but insufficient permissions/credits

Automated testing


Next steps

Create API key

Generate your first API key in the dashboard

Make your first request

Follow the quickstart guide

Rate limiting

Learn about rate limits per API key

API Reference

Explore the complete API documentation