Authentication
How to authenticate with the TCG Price Lookup API using API keys.
API Keys
All requests to the TCG Price Lookup API require an API key. Include it in the X-API-Key header on every request:
curl -H "X-API-Key: your-api-key" \
"https://api.tcgpricelookup.com/v1/search?q=charizard"API keys are tied to your account and plan. The free tier includes 200 requests per day. See pricing for Trader ($14.99/month, 10,000 req/day) and Business ($89.99/month, 100,000 req/day) plans.
Getting a key
- Create an account at tcgpricelookup.com
- Navigate to Dashboard → API Keys
- Click Generate New Key
- Copy the key — it’s only shown once in full
Your key looks like this:
tcg_live_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxStoring your key safely
Never hard-code API keys in source code. Use environment variables:
# .env (add to .gitignore!)
TCG_API_KEY=tcg_live_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx# .gitignore
.env
.env.local
.env.*.localAccess the key from your environment at runtime:
// Node.js
const apiKey = process.env.TCG_API_KEY;# Python
import os
api_key = os.environ["TCG_API_KEY"]# Shell
export TCG_API_KEY="tcg_live_sk_..."Using with SDKs
Every official SDK handles authentication automatically. Pass your API key during initialization and it’s included in every subsequent request:
// JavaScript / TypeScript
import { TCGLookup } from 'tcglookup';
const tcg = new TCGLookup({ apiKey: process.env.TCG_API_KEY });
const results = await tcg.search('black lotus');# Python
import os
from tcglookup import TCGLookup
tcg = TCGLookup(api_key=os.environ["TCG_API_KEY"])
results = tcg.search("black lotus")// Go
import (
"os"
tcg "github.com/TCG-Price-Lookup/tcglookup-go"
)
client := tcg.NewClient(tcg.WithAPIKey(os.Getenv("TCG_API_KEY")))
results, err := client.Search("black lotus", nil)// Rust
use tcglookup::Client;
let client = Client::new(std::env::var("TCG_API_KEY").unwrap());
let results = client.search("black lotus", None).await?;// PHP
use TCGPriceLookup\TCGLookup;
$tcg = new TCGLookup(['api_key' => getenv('TCG_API_KEY')]);
$results = $tcg->search('black lotus');Security best practices
Make API calls server-side. Your API key grants access to your full quota. If exposed in browser JavaScript, anyone can find it and drain your requests. Route all API calls through your backend and proxy results to your frontend.
Use environment variables everywhere. Never put your key in your codebase, in a config file checked into git, or in any client-side bundle. Use .env files locally and your host’s secret management in production (e.g., Vercel Environment Variables, AWS Secrets Manager, Railway secrets).
Rotate keys periodically. Treat API keys like passwords. Regenerate them on a schedule and immediately if you suspect exposure.
Use separate keys per environment. Generate one key for development and a separate key for production. This limits blast radius if a dev key leaks.
Common auth errors
Missing API key — 401
{
"error": {
"code": "MISSING_API_KEY",
"message": "The X-API-Key header is required.",
"status": 401
}
}You forgot to include the X-API-Key header. Check that your SDK is initialized with a key and that environment variables are loaded.
Invalid API key — 401
{
"error": {
"code": "INVALID_API_KEY",
"message": "The provided API key is invalid or expired.",
"status": 401
}
}The key doesn’t exist or has been revoked. Open your dashboard to verify or regenerate.
Plan restriction — 403
{
"error": {
"code": "PLAN_RESTRICTION",
"message": "Price history requires a Trader plan or above.",
"status": 403
}
}Your plan doesn’t include the endpoint you’re calling. Price history requires Trader or Business. Upgrade your plan.
API key management
Regenerating a key — go to Dashboard → API Keys → Regenerate. Your old key stops working immediately, so update all deployments before regenerating.
Revoking access — if you suspect your key has leaked, click Revoke in the dashboard. Generate a new key and redeploy.
Viewing usage — the dashboard shows your daily request count and remaining quota. The same info is available in real time via the X-RateLimit-Remaining header on every API response.