Authentication

The Carapis API authenticates with a single API key sent as a Bearer token in the Authorization header — no OAuth, no session cookies. Create a key in your dashboard and attach it to every request.

Get your API key

1. Sign in at my.carapis.com .
2. Open your dashboard and create an API key.
3. Copy the key and store it securely — you will use it on every request.

Treat the key like a password. Never expose it in client-side code, public repositories or URLs. Store it in an environment variable instead:

export CARAPIS_API_KEY="your_api_key_here"

Header format

Send the key as a Bearer token on every request:

Authorization: Bearer <API_KEY>

import os, requests
 
resp = requests.get(
    "https://api.carapis.com/v2/listings",
    params={"source": "encar", "limit": 20},
    headers={"Authorization": f"Bearer {os.environ['CARAPIS_API_KEY']}"},
)

const res = await fetch(
  "https://api.carapis.com/v2/listings?source=encar&limit=20",
  { headers: { Authorization: `Bearer ${process.env.CARAPIS_API_KEY}` } },
);

curl "https://api.carapis.com/v2/listings?source=encar&limit=20" \
  -H "Authorization: Bearer $CARAPIS_API_KEY"

Missing or invalid keys

A request without a valid key is rejected:

• 401 Unauthorized — the Authorization header is missing or the key is invalid.
• 403 Forbidden — the key is valid but not permitted for the requested resource or plan.

See Errors for the full error shape and Rate limits for plan-based throttling.

Rotating keys

If a key is exposed, create a new one in your dashboard  and stop using the old one. Rolling your key takes effect immediately.