Understanding authentication

APIs use various authentication methods to control access and track usage. Understanding these authentication types helps you choose the right API and implement it correctly in your application.

Authentication types

The Public APIs directory uses five standardized authentication labels. Each API listing shows exactly which authentication method is required.

No auth
apiKey
OAuth
X-Mashape-Key
User-Agent

No authentication

These APIs require no authentication at all - you can start making requests immediately without registering or obtaining credentials.

How it works

Simply make HTTP requests to the API endpoint. No headers, keys, or tokens required.

Examples from the directory

Cat Facts - Daily cat facts

curl https://cat-fact.herokuapp.com/facts

Dogs - Dog pictures from Stanford Dogs Dataset

curl https://dog.ceo/api/breeds/image/random

Bored - Random activity suggestions

curl https://www.boredapi.com/api/activity

Axolotl - Axolotl pictures and facts

curl https://theaxolotlapi.netlify.app/

CoinGecko - Cryptocurrency prices and market data

curl https://api.coingecko.com/api/v3/ping

Best for

Learning and experimentation
Prototyping and demos
Public data that doesn’t require rate limiting
Side projects and hobby apps

Limitations

Often have stricter rate limits
May have limited features compared to authenticated access
No usage tracking or analytics
Can’t be customized for your use case

API Key authentication

The most common authentication method. APIs marked with apiKey require you to register for an account and generate a private key or token.

How it works

Sign up on the API provider’s website
Generate an API key from your dashboard
Include the key in your requests (usually as a header or query parameter)

Examples from the directory

NASA - NASA data including imagery

curl "https://api.nasa.gov/planetary/apod?api_key=YOUR_API_KEY"

OpenWeatherMap - Weather data

curl "https://api.openweathermap.org/data/2.5/weather?q=London&appid=YOUR_API_KEY"

IPstack - IP geolocation

curl "http://api.ipstack.com/134.201.250.155?access_key=YOUR_API_KEY"

The Dog API - Dog pictures and data

curl -H "x-api-key: YOUR_API_KEY" https://api.thedogapi.com/v1/images/search

VirusTotal - File and URL malware scanning

curl -H "x-apikey: YOUR_API_KEY" https://www.virustotal.com/api/v3/files/{id}

Best for

Production applications
Apps requiring higher rate limits
Services that need usage tracking
APIs with tiered pricing (free tier + paid upgrades)

Key management tips

Never commit API keys to version control
Use environment variables to store keys
Rotate keys periodically
Use different keys for development and production
Monitor usage to detect unauthorized access

X-Mashape-Key authentication

A specific type of API key authentication that uses the X-Mashape-Key header. This was commonly used for APIs distributed through the RapidAPI (formerly Mashape) marketplace.

How it works

Subscribe to the API on RapidAPI marketplace
Copy your RapidAPI key
Include it in the X-Mashape-Key header (or X-RapidAPI-Key for newer APIs)

Example request

curl -H "X-Mashape-Key: YOUR_RAPIDAPI_KEY" \
     -H "Accept: application/json" \
     https://api.example.com/endpoint

Note

Many APIs that previously used X-Mashape-Key now use X-RapidAPI-Key as RapidAPI evolved. Always check the current API documentation.

Best for

APIs hosted on RapidAPI marketplace
Services distributed through API aggregators

User-Agent authentication

These APIs require a custom User-Agent header to identify your application. This is a lightweight form of identification rather than true authentication.

How it works

Include a User-Agent header with your application name and contact info (usually email).

Example

curl -H "User-Agent: MyApp/1.0 (myemail@example.com)" \
     https://api.example.com/data

Why APIs require this

Track which applications use the API
Contact developers if issues arise
Enforce fair use policies
Identify and block abusive clients

Best practices

Use a descriptive application name
Include version number
Provide contact email
Keep the format consistent

Example format:

User-Agent: AppName/Version (contact@email.com)

Common APIs requiring User-Agent

Some APIs will return errors or block requests without a proper User-Agent header, particularly APIs serving scientific data or following strict fair-use policies.

Choosing the right authentication level

For learning and prototyping

Start with No auth APIs - they’re the fastest way to get started and learn API concepts without setup overhead.

For production apps

Prefer apiKey or OAuth APIs. They offer:

Higher rate limits
Better reliability
Usage analytics
Support options
SLA guarantees (for paid tiers)

For user integrations

Use OAuth when you need to:

Access user data from other services
Perform actions on behalf of users
Connect multiple accounts

Security best practices

Protect your API keys

Store keys in environment variables, not in code
Use secret management tools (AWS Secrets Manager, HashiCorp Vault)
Never commit keys to Git repositories
Add .env to .gitignore
Rotate keys periodically

Use HTTPS

Always use HTTPS endpoints when available
Prefer APIs that support HTTPS (check the HTTPS column)
HTTP transmits keys in plain text - avoid for sensitive data

Implement rate limiting

Respect API rate limits
Implement exponential backoff for retries
Cache responses when appropriate
Monitor your usage

Validate and sanitize data

Never trust API responses blindly
Validate data types and formats
Sanitize data before displaying to users
Handle errors gracefully

Rate limits and quotas

Most APIs enforce rate limits to prevent abuse:

No auth APIs: Usually 100-1000 requests/hour
apiKey APIs: Often 1000-10,000+ requests/day on free tier
OAuth APIs: Varies by provider and permission scopes

Always check the API documentation for specific limits.

Next steps

Understand CORS compatibility for client-side apps
Learn how to search and filter APIs
Explore all available APIs

Get Started

Using the Directory

Understanding authentication

Authentication types

No authentication

How it works

Examples from the directory

Best for

Limitations

API Key authentication

How it works

Examples from the directory

Best for

Key management tips

OAuth authentication

How it works

Examples from the directory

OAuth vs API Key

Best for

X-Mashape-Key authentication

How it works

Example request

Note

Best for

User-Agent authentication

How it works

Example

Why APIs require this

Best practices

Common APIs requiring User-Agent

Choosing the right authentication level

For learning and prototyping

For production apps

For user integrations

Security best practices

Rate limits and quotas

Next steps

Get Started

Using the Directory

​Authentication types

​No authentication

​How it works

​Examples from the directory

​Best for

​Limitations

​API Key authentication

​How it works

​Examples from the directory

​Best for

​Key management tips

​OAuth authentication

​How it works

​Examples from the directory

​OAuth vs API Key

​Best for

​X-Mashape-Key authentication

​How it works

​Example request

​Note

​Best for

​User-Agent authentication

​How it works

​Example

​Why APIs require this

​Best practices

​Common APIs requiring User-Agent

​Choosing the right authentication level

​For learning and prototyping

​For production apps

​For user integrations

​Security best practices

​Rate limits and quotas

​Next steps

Authentication types

No authentication

How it works

Examples from the directory

Best for

Limitations

API Key authentication

How it works

Examples from the directory

Best for

Key management tips

OAuth authentication

How it works

Examples from the directory

OAuth vs API Key

Best for

X-Mashape-Key authentication

How it works

Example request

Note

Best for

User-Agent authentication

How it works

Example

Why APIs require this

Best practices

Common APIs requiring User-Agent

Choosing the right authentication level

For learning and prototyping

For production apps

For user integrations

Security best practices

Rate limits and quotas

Next steps