Authentication¶
All API requests must include a valid API key. Toolkit API supports two authentication methods depending on how you access the service.
Direct API Key¶
Include your API key in the X-API-Key header:
curl -X GET "https://dns.toolkitapi.io/v1/lookup?domain=toolkitapi.io&type=A" \
-H "X-API-Key: YOUR_KEY"
RapidAPI Proxy¶
If you access the API through RapidAPI's marketplace, the proxy automatically injects authentication headers. Use your RapidAPI key in the standard X-RapidAPI-Key header — the proxy translates this before forwarding to our servers.
curl -X GET "https://dnstoolkit1.p.rapidapi.com/v1/lookup?domain=toolkitapi.io&type=A" \
-H "X-RapidAPI-Key: YOUR_RAPIDAPI_KEY" \
-H "X-RapidAPI-Host: dnstoolkit1.p.rapidapi.com"
Route Shape Note¶
Endpoint path shape can vary by toolkit. For example:
- DNS lookup uses
/v1/lookup - Geo IP lookup uses
/v1/geo/ip-lookup
Always use the exact path shown in the endpoint reference.
API Key Scoping¶
A single API key works across all Toolkit API endpoints on a given plan. You don't need separate keys for DNS, Image, Email, etc.
Security Best Practices¶
Warning
Never expose your API key in client-side code, public repositories, or browser network requests.
- Store keys in environment variables, not source code
- Use server-side requests — never call the API directly from a browser
- Rotate keys immediately if you suspect a leak
- Use the lowest-privilege plan that meets your needs
Authentication Errors¶
| Status | Meaning |
|---|---|
401 Unauthorized |
Missing or invalid API key |
403 Forbidden |
Key is valid but not authorised for this endpoint or plan |
Example error response:
{
"detail": "Invalid or missing API key"
}