Authentication Guide

This guide will help you understand the different ways you can authenticate your API requests. We support multiple methods to ensure flexibility and ease of integration. Below are the detailed methods and examples of how to use them.

1. API Key in Query Parameters

You can include your API key directly in the query parameters of your API request.


curl -X GET ""

2. API Key in Headers

You can also include your API key in the headers of your request. This method is more secure than including the key in the query parameters.

Custom Header (x-api-key):

curl -X GET -H "x-api-key: YOUR-API-KEY"

3. Bearer Token in Authorization Header

Using a Bearer token in the Authorization header is a widely used method for authentication. You can include your API key as a Bearer token.


curl -X GET -H "Authorization: Bearer YOUR-API-KEY"

4. API Key in Request Body

Although less common and not recommended for GET requests, you can pass the API key in the body of POST requests.


curl -X POST -d '{"api_key": "YOUR-API-KEY"}' -H "Content-Type: application/json"

Choosing the Right Authentication Method

  • Query Parameters: Quick and easy for testing or when making simple API calls from a browser. However, it's less secure since the API key is exposed in the URL.

  • Headers (x-api-key): More secure than query parameters. Recommended for production use.

  • Bearer Token: Standard practice for modern APIs. Use this method if you are integrating with systems that already use Bearer tokens.

  • Request Body: Useful for POST requests where including the key in the body is necessary. Not recommended for GET requests due to security concerns.

Tip: If you already use a specific authentication method in your application to make request on your production server, try to use the same method in your MockAPI so you only need to change the base URL and the API Key when making request to each one.

Additional Security Tips

  • Use HTTPS: Always use HTTPS to encrypt your API requests and responses.

  • Keep API Keys Secret: Never expose your API keys in public repositories, client-side code, or public forums.

  • Rotate Keys Regularly: Periodically change your API keys to minimize the risk of them being compromised.


  • 401 Unauthorized: Ensure your API key is correct and included in the request using one of the supported methods.

  • 403 Forbidden: Your API key might be valid but lacks the necessary permissions to access the requested resource.

  • 404 Not Found: Check the endpoint URL for typos or errors.

By following this guide, you can securely authenticate your requests to MockAPI and ensure smooth integration with our services.

Last updated