Skip to main content

API Key Authentication

All OathNet API endpoints require authentication via API key. Your API key should be included in every request using the x-api-key header.
IMPORTANT: The header name must be lowercase: x-api-keyUsing X-API-Key, X-Api-Key, or any other capitalization will cause authentication failures.

Getting Your API Key

1

Sign In

Go to oathnet.org and sign in to your account.
2

Navigate to Account Settings

Go to your Dashboard > Account.
3

Copy Your API Key

Your API key is displayed in the account settings. Copy it and store it securely.

Get Your API Key

Go to your dashboard to view your API key

Using Your API Key

Include the x-api-key header (lowercase!) in every request: 
curl -X GET "https://oathnet.org/api/service/search-breach?q=test" \
  -H "x-api-key: YOUR_API_KEY"

Using the API Playground

The API documentation includes an interactive playground on each endpoint page. To use it:
1

Navigate to an Endpoint

Go to any endpoint page (e.g., Breach Search)
2

Enter Your API Key

Look for the Authorization section in the playground panel on the right. Click to expand it and enter your API key.
3

Set Parameters

Fill in the required parameters for the endpoint
4

Send Request

Click Send to execute the request and see the live response
Your API key is stored in your browser’s local storage and is only sent directly to the OathNet API server.

Authentication Errors

401 Unauthorized

Returned when the API key is missing or invalid: 
{
  "success": false,
  "message": "Invalid or missing API key",
  "errors": {
    "authentication": "API key is required"
  }
}
Common causes:
  • Missing x-api-key header
  • Typo in the API key
  • Using wrong header name (e.g., Authorization or X-API-Key instead of x-api-key)

403 Forbidden

Returned when access is denied: 
{
  "success": false,
  "message": "Access denied",
  "errors": {
    "authorization": "Your plan does not include access to this endpoint"
  }
}
Common causes:
  • Endpoint requires a higher subscription tier
  • Daily quota exceeded
  • Account suspended

Security Best Practices

Never hardcode API keys in your source code. Use environment variables:
# .env file (add to .gitignore!)
OATHNET_API_KEY=your_api_key_here

import os
API_KEY = os.environ.get("OATHNET_API_KEY")
  • Never share your API key publicly
  • Don’t commit it to version control
  • Don’t include it in client-side code
  • If you believe your key has been compromised, contact support immediately
Regularly check your API usage in the dashboard to detect unusual activity or unexpected quota usage.
Never share your API key. If you believe your key has been compromised, contact [email protected] immediately.

Next Steps

Search Sessions

Learn how search sessions help you maximize your lookups

Error Handling

Handle authentication errors gracefully