Documentation Index Fetch the complete documentation index at: https://mintlify.com/public-apis/public-apis/llms.txt
Use this file to discover all available pages before exploring further.
APIs use various authentication methods to control access and track usage. Understanding these authentication types helps you choose the right API and implement it correctly in your application.
Authentication types The Public APIs directory uses five standardized authentication labels. Each API listing shows exactly which authentication method is required.
No auth
apiKey
OAuth
X-Mashape-Key
User-Agent
No authentication These APIs require no authentication at all - you can start making requests immediately without registering or obtaining credentials. How it works Simply make HTTP requests to the API endpoint. No headers, keys, or tokens required. Examples from the directory Cat Facts - Daily cat factscurl https://cat-fact.herokuapp.com/facts
Dogs - Dog pictures from Stanford Dogs Datasetcurl https://dog.ceo/api/breeds/image/random
Bored - Random activity suggestionscurl https://www.boredapi.com/api/activity
Axolotl - Axolotl pictures and factscurl https://theaxolotlapi.netlify.app/
CoinGecko - Cryptocurrency prices and market datacurl https://api.coingecko.com/api/v3/ping
Best for
Learning and experimentation
Prototyping and demos
Public data that doesn’t require rate limiting
Side projects and hobby apps
Limitations
Often have stricter rate limits
May have limited features compared to authenticated access
No usage tracking or analytics
Can’t be customized for your use case
API Key authentication The most common authentication method. APIs marked with apiKey require you to register for an account and generate a private key or token. How it works
Sign up on the API provider’s website
Generate an API key from your dashboard
Include the key in your requests (usually as a header or query parameter)
Examples from the directory NASA - NASA data including imagerycurl "https://api.nasa.gov/planetary/apod?api_key=YOUR_API_KEY"
OpenWeatherMap - Weather datacurl "https://api.openweathermap.org/data/2.5/weather?q=London&appid=YOUR_API_KEY"
IPstack - IP geolocationcurl "http://api.ipstack.com/134.201.250.155?access_key=YOUR_API_KEY"
The Dog API - Dog pictures and datacurl -H "x-api-key: YOUR_API_KEY" https://api.thedogapi.com/v1/images/search
VirusTotal - File and URL malware scanningcurl -H "x-apikey: YOUR_API_KEY" https://www.virustotal.com/api/v3/files/{id}
Best for
Production applications
Apps requiring higher rate limits
Services that need usage tracking
APIs with tiered pricing (free tier + paid upgrades)
Key management tips
Never commit API keys to version control
Use environment variables to store keys
Rotate keys periodically
Use different keys for development and production
Monitor usage to detect unauthorized access
OAuth authentication OAuth is used when an API needs to access user data from another service or requires delegated authorization. Common for social networks and services with user accounts. How it works
Register your application with the API provider
Obtain client ID and client secret
Implement OAuth flow to get user authorization
Exchange authorization code for access token
Use access token in API requests
Examples from the directory GitHub - Repository and user data
Requires OAuth to access private repos
Scopes control what data you can access
Google Calendar - Calendar events and management
OAuth required to access user’s calendars
User must grant permission
Trello - Boards and project management
OAuth for accessing user’s boards
Can read and modify user data
AniAPI - Anime discovery and tracking
OAuth for syncing with user trackers
Dribbble - Designer portfolios and work
OAuth to access user’s designs
OAuth vs API Key Use OAuth when:
Accessing user-specific data
Performing actions on behalf of a user
Building integrations with user accounts
Need granular permission scopes
Use API Key when:
Accessing public or your own data
Simple authentication is sufficient
Don’t need user-specific permissions
Best for
Third-party integrations
Apps that connect user accounts
Services requiring delegated permissions
Enterprise applications
X-Mashape-Key authentication A specific type of API key authentication that uses the X-Mashape-Key header. This was commonly used for APIs distributed through the RapidAPI (formerly Mashape) marketplace. How it works
Subscribe to the API on RapidAPI marketplace
Copy your RapidAPI key
Include it in the X-Mashape-Key header (or X-RapidAPI-Key for newer APIs)
Example request curl -H "X-Mashape-Key: YOUR_RAPIDAPI_KEY" \ -H "Accept: application/json" \ https://api.example.com/endpoint
Note Many APIs that previously used X-Mashape-Key now use X-RapidAPI-Key as RapidAPI evolved. Always check the current API documentation. Best for
APIs hosted on RapidAPI marketplace
Services distributed through API aggregators
User-Agent authentication These APIs require a custom User-Agent header to identify your application. This is a lightweight form of identification rather than true authentication. How it works Include a User-Agent header with your application name and contact info (usually email). Example curl -H "User-Agent: MyApp/1.0 (myemail@example.com)" \ https://api.example.com/data
Why APIs require this
Track which applications use the API
Contact developers if issues arise
Enforce fair use policies
Identify and block abusive clients
Best practices
Use a descriptive application name
Include version number
Provide contact email
Keep the format consistent
Example format: User-Agent: AppName/Version (contact@email.com)
Common APIs requiring User-Agent Some APIs will return errors or block requests without a proper User-Agent header, particularly APIs serving scientific data or following strict fair-use policies. Choosing the right authentication level For learning and prototyping Start with No auth APIs - they’re the fastest way to get started and learn API concepts without setup overhead.
For production apps Prefer apiKey or OAuth APIs. They offer:
Higher rate limits
Better reliability
Usage analytics
Support options
SLA guarantees (for paid tiers)
For user integrations Use OAuth when you need to:
Access user data from other services
Perform actions on behalf of users
Connect multiple accounts
Security best practices
Store keys in environment variables, not in code
Use secret management tools (AWS Secrets Manager, HashiCorp Vault)
Never commit keys to Git repositories
Add .env to .gitignore
Rotate keys periodically
Always use HTTPS endpoints when available
Prefer APIs that support HTTPS (check the HTTPS column)
HTTP transmits keys in plain text - avoid for sensitive data
Respect API rate limits
Implement exponential backoff for retries
Cache responses when appropriate
Monitor your usage
Validate and sanitize data
Never trust API responses blindly
Validate data types and formats
Sanitize data before displaying to users
Handle errors gracefully
Rate limits and quotas Most APIs enforce rate limits to prevent abuse:
No auth APIs : Usually 100-1000 requests/hourapiKey APIs : Often 1000-10,000+ requests/day on free tierOAuth APIs : Varies by provider and permission scopes
Always check the API documentation for specific limits.
Next steps 
