ReportCar Docs

Authentication

Authenticate your API requests using API keys

API Keys

ReportCar uses API keys to authenticate requests. You can view and manage your API keys in the Dashboard.

Keep your API keys secure

Your API keys carry many privileges, so be sure to keep them secure. Do not share your API keys in publicly accessible areas such as GitHub, client-side code, etc.

Bearer Token Authentication

Include your API key in the Authorization header using the Bearer scheme:

curl https://reportcar.com/api/b2b/vehicle/ABC123 \
  -H "Authorization: Bearer pk_live_abc123..."

API Key Format

ReportCar API keys follow a specific format to help identify their purpose:

pk_live_...Production (Live) Key

Use this key in your production environment

pk_test_...Test Key

Use this key for development and testing

Authentication Errors

If authentication fails, you'll receive a 401 Unauthorized response:

{
  "error": "Invalid API key",
  "message": "The provided API key is invalid or has been revoked"
}

Common Authentication Errors

401 - Missing API key

No Authorization header was provided

401 - Invalid API key

The API key is malformed or doesn't exist

401 - Revoked API key

The API key has been revoked or disabled

429 - Rate limit exceeded

You've exceeded your rate limit. See Rate Limits

Best Practices

Store API keys in environment variables

Never hardcode API keys in your source code

Rotate keys regularly

Recommended: Rotate production keys every 90 days

Use HTTPS only

All API requests must be made over HTTPS