|Documentation
Sign Up

Authentication

vatnode uses API keys to authenticate requests. All API requests require a valid API key.

API Key Format

API keys follow this format:

vat_{environment}_{prefix}

Examples:
vat_live_sk_...  - Production keys for live data
vat_test_sk_...  - Test keys (coming soon)

Using Your API Key

Include your API key in the Authorization header with every request:

Terminal
curl https://api.vatnode.dev/v1/vat/IE6388047V \
  -H "Authorization: Bearer vat_live_your_key_here"

Creating API Keys

  1. Sign in to your Dashboard
  2. Navigate to API Keys
  3. Click "Create Key"
  4. Enter a descriptive label (e.g., "Production Server", "Development")
  5. Select the environment (live or test)
  6. Click "Create"

Important: Copy your API key immediately after creation. For security reasons, we only show the full key once. After that, you'll only see a preview (e.g., vat_live_sk_abc...xyz).

Managing API Keys

Viewing Keys

Go to Dashboard > API Keys to see all your keys. Each key shows:

  • Label
  • Key preview (first and last characters)
  • Environment (live/test)
  • Last used timestamp
  • Created date

Deleting Keys

To delete a key:

  1. Find the key in your API Keys list
  2. Click the delete (trash) icon
  3. Confirm the deletion

Warning: Deleting a key is permanent and immediate. Any applications using this key will lose access.

Security Best Practices

Keep Keys Secret

  • Never commit API keys to version control
  • Don't expose keys in client-side code
  • Use environment variables to store keys
.env
# .env file
VATNODE_API_KEY=vat_live_sk_your_key_here
JavaScript
// Use environment variable
const apiKey = process.env.VATNODE_API_KEY;

Use Separate Keys

Create different keys for different environments and applications:

  • Production Server - For your live production environment
  • Development - For local development
  • Staging - For staging/testing environments

This way, if one key is compromised, you can revoke it without affecting other environments.

Rotate Keys Regularly

For enhanced security, rotate your API keys periodically:

  1. Create a new key
  2. Update your application to use the new key
  3. Verify the new key works
  4. Delete the old key

Rate Limits

All API requests are rate-limited to 30 requests per minute per IP address, regardless of plan. Monthly quotas are enforced separately per account.

PlanMonthly Quota
Free20
Starter1,000
Pro5,000
EnterpriseUnlimited

When you exceed the rate limit, you'll receive a 429 Too Many Requests response. Use the retryAfter field to know when to retry:

Response
{
  "error": {
    "code": "RATE_LIMITED",
    "message": "Rate limit exceeded. Please try again later.",
    "retryAfter": 30,
    "requestId": "req_abc123"
  }
}

Error Responses

Missing API Key

401 Unauthorized
{
  "error": {
    "code": "INVALID_API_KEY",
    "message": "API key is required",
    "requestId": "req_abc123"
  }
}

Invalid API Key

401 Unauthorized
{
  "error": {
    "code": "INVALID_API_KEY",
    "message": "Invalid API key",
    "requestId": "req_abc123"
  }
}