Authentication

All card data requests require an API key.

Getting Your API Key

1. Go to Sign Up and create an account
2. Your API key is generated and shown once — save it immediately
3. You can view the masked key anytime in your Dashboard

Using Your API Key

Include the key in the X-API-Key header on every request:

curl "https://tcg-api-production-5148.up.railway.app/cards/search?game=riftbound&name=dragon" \
  -H "X-API-Key: tcg_your_key_here"

JavaScript Example

const response = await fetch(
  'https://tcg-api-production-5148.up.railway.app/cards/search?game=riftbound&name=dragon',
  {
    headers: { 'X-API-Key': 'tcg_your_key_here' }
  }
);
const data = await response.json();

Python Example

import requests

response = requests.get(
    'https://tcg-api-production-5148.up.railway.app/cards/search',
    params={'game': 'riftbound', 'name': 'dragon'},
    headers={'X-API-Key': 'tcg_your_key_here'}
)
data = response.json()

Key Format

API keys are prefixed with tcg_ followed by 32 hex characters:

tcg_b4dcf4873ba941cbbd122109999a2fcf

Keys are stored as HMAC-SHA256 hashes — if you lose it, it cannot be recovered. You can regenerate a new key from your Dashboard.

Best Practices

• Never expose your key in client-side code or public repositories
• Store it in environment variables or a secrets manager
• Use it server-side only — proxy requests through your own backend if needed
• If compromised, regenerate it from the Dashboard