Authentication
Learn how to authenticate your API requests to KhaleejiAPI securely.
API Keys
KhaleejiAPI uses API keys to authenticate requests. You can view and manage your API keys in your dashboard.
Getting your API key
- Sign up for a free account at khaleejiapi.dev/signup
- Navigate to the API Keys section in your dashboard
- Click “Create new key” and give it a descriptive name
- Copy your API key — it starts with
kapi_live_and is shown only once
Authentication Method
Every request must include your API key in the Authorization header using the Bearer scheme. This is the canonical and recommended method.
Authorization: Bearer <your-key>
curl -X GET "https://khaleejiapi.dev/api/v1/ip/lookup?ip=8.8.8.8" \ -H "Authorization: Bearer YOUR_API_KEY"Common Pitfalls
These are the most frequent mistakes that cause authentication errors on the first call.
Using x-api-key as your primary integration header
Legacy clients may still be accepted when they send x-api-key, but new integrations should use the Authorization header with the Bearer scheme. Treat x-api-key as deprecated compatibility behavior, not the documented default:
curl -H "Authorization: Bearer kapi_live_your_key_here" \ https://khaleejiapi.dev/api/v1/ip/lookupSending the raw key without the Bearer prefix
The header value must be exactly Bearer <your-key>. Omitting Bearer or adding extra spaces returns 401.
✗ Wrong
Authorization: kapi_live_your_key_here✓ Correct
Authorization: Bearer kapi_live_your_key_hereWrong JS/TS SDK initialization — passing a bare string
The JavaScript/TypeScript SDK expects an options object with an apiKey property. Passing a bare string throws a runtime error.
✗ Wrong
// TypeError at runtimeconst client = new KhaleejiAPI('kapi_live_...');✓ Correct
const client = new KhaleejiAPI({ apiKey: 'kapi_live_your_key_here',});Exposing the key in client-side code
Bundling your API key into a browser or mobile app makes it visible in the network tab and public source maps. Anyone who finds it can exhaust your quota. Always call the API from your backend server or use the CORS & browser integration guide for the proxy pattern.
Using SDKs
Our official SDKs handle authentication automatically. Initialize the client once with your API key and every subsequent request is authenticated for you.
JavaScript / TypeScript
import { KhaleejiAPI } from '@khaleejiapi/sdk'; // Pass an options object — apiKey is a required named propertyconst client = new KhaleejiAPI({ apiKey: 'kapi_live_your_key_here' }); // All subsequent requests are automatically authenticatedconst result = await client.geo.lookupIp({ ip: '8.8.8.8' });Python
from khaleejiapi import KhaleejiAPI # Initialize with your API keyclient = KhaleejiAPI("kapi_live_your_key_here") # All subsequent requests are automatically authenticatedresult = client.geo.lookup_ip("8.8.8.8")Go
package main import ( "context" "fmt" khaleejiapi "github.com/khaleejiapi/sdk-go") func main() { client := khaleejiapi.New("kapi_live_your_key_here") ctx := context.Background() ip, _ := client.Geo.LookupIp(ctx, "8.8.8.8") fmt.Println(ip.Country)}Swift (iOS / macOS)
import KhaleejiAPI let client = KhaleejiAPI(apiKey: "kapi_live_your_key_here") let ip = try await client.geo.lookupIp("8.8.8.8")print(ip.country)Kotlin (Android / JVM)
import dev.khaleejiapi.KhaleejiAPI val client = KhaleejiAPI("kapi_live_your_key_here") val ip = client.geo.lookupIp("8.8.8.8")println(ip.country)PHP
<?phpuse KhaleejiAPI\KhaleejiAPI; $client = new KhaleejiAPI('kapi_live_your_key_here'); $ip = $client->geo->lookupIp('8.8.8.8');echo $ip['country'];Best Practices
Use Environment Variables
Store your API key in environment variables instead of hardcoding it in source code.
# .env.local (never commit this file)KHALEEJI_API_KEY=kapi_live_your_key_here// JavaScript / TypeScript — pass an options objectconst client = new KhaleejiAPI({ apiKey: process.env.KHALEEJI_API_KEY! });# Pythonimport osclient = KhaleejiAPI(os.environ["KHALEEJI_API_KEY"])Use Different Keys for Each Environment
Create separate API keys for development, staging, and production. This limits blast radius if a key leaks and makes it easy to track usage per environment.
Rotate Keys Regularly
Periodically rotate your API keys, especially if you suspect they may have been compromised.
Use Server-Side Requests
Make API calls from your backend server, not directly from client-side code.
Authentication Errors
| Status Code | Error | Description |
|---|---|---|
401 | unauthorized | No API key provided, invalid key, or missing Bearer prefix |
403 | forbidden | API key doesn't have access to this resource |
429 | rate_limited | Too many requests. Check rate limits. |
Troubleshooting 401 Unauthorized
A 401 means we received your request but the API key was missing, malformed, or rejected. Walk this list top to bottom — most issues are caught in the first three checks.
Use Authorization: Bearer <your-key> exactly
Do not send custom auth headers, query params, or raw keys without the Bearer scheme. Use one header with one space between Bearer and your key.
No leading or trailing whitespace
When copy-pasting from the dashboard, a stray space or newline at the end of the value is the most common cause. In Bash use $KHALEEJI_API_KEY via export rather than pasting inline.
Key is active and not revoked
Open Dashboard → API Keys. The key's status badge must read Active. A revoked key returns 401 immediately and cannot be revived — create a new key instead.
Sandbox key vs live endpoint
Sandbox keys (created with the “Sandbox Mode” toggle) are limited to 10 req/min and 1,000/month against test fixtures. They will not authenticate against high-volume live data — create a non-sandbox key for production traffic.
Right project / environment
Teams often have separate keys per environment. Confirm the value in your .env matches the dashboard for this environment, not staging.
Capture the request id
Every response includes x-request-id. Include it when you contact support and we can pull the exact log line in seconds. See the troubleshooting guide for the full error catalog.
Revoke and rotate keys
Revoke a key the moment you suspect it has leaked — revocation is instant and irreversible. The full incident playbook is at /docs/security/leaked-keys. The short version:
- Open Dashboard → API Keys and create a replacement key first.
- Update your deployment's environment variable.
- Redeploy / restart the workers that hold the key.
- Click Revoke on the old key.
- Audit recent requests via the dashboard or
GET /api/dashboard/api-keys/usage— an unfamiliar IP or country usually means the key was already abused. - Add a pre-commit secret scanner (e.g. gitleaks) so the next leak is caught before it pushes.