Authentication

Every data request requires an API key. There is no anonymous access — the only unauthenticated endpoints are GET /health and GET /v1 (discovery metadata).

API keys

Keys are self-serve from Account → API keys on pikaqian.com. A live key is prefixed pk_live_ and its secret is shown once at creation — store it securely. Each account has one active key at a time: to rotate, revoke the current key first (from the same page), then create the new one. A revoked key stops working immediately.

Your key's tier (free / hobby / pro) is determined by your subscription and is resolved on every request — upgrading or downgrading takes effect without issuing a new key. See Tiers & rate limits.

Sending the key

Pass the key in the X-API-Key request header:

curl https://api.pikaqian.com/v1/cards \
  -H "X-API-Key: pk_live_your_key_here"

Keep keys server-side

Treat your key like a password. Don't embed it in browser/mobile client code or commit it to source control — anyone with the key consumes your quota. Proxy requests through your own backend instead.

Auth errors

Authentication failures use the standard error envelope:

Status	`code`	When
`401`	`missing_api_key`	No `X-API-Key` header was sent.
`401`	`invalid_api_key`	The key isn't recognised (revoked, typo'd, or wrong environment).
`403`	`tier_required`	Your tier is below what the route or filter requires.
`429`	`rate_limited`	You exceeded the per-minute burst or the monthly quota.

Example:

{
  "error": {
    "code": "missing_api_key",
    "message": "API key required",
    "request_id": "f0e1d2c3-…"
  }
}

The request_id is echoed in the X-Request-ID response header on every request — include it when contacting support.

API keys​

Sending the key​

Auth errors​

API keys

Sending the key

Auth errors