https://api.vulcx.xyz) is authenticated with an API key,
except GET /health and GET /api/v1/tokens, which are public and require no key. Keys look
like vulcx_ followed by a long hex string, and you send them in the standard Authorization: Bearer header (or as a ?key= query parameter — the only option for the WebSocket stream).
This applies to the WebSocket stream too:
GET /api/v1/stream requires a key just like every
other endpoint. See WebSocket streaming below for the query-param form.Vulcx is free during beta — there are no paid tiers yet. You still need a key so we can
apply rate limits and keep the service healthy.
Get an API key
Request a key
During beta, keys are issued through our Telegram. Reach out and ask —
keys are granted at no cost.
Get an API key on Telegram
Message the Vulcx team on Telegram and request a key.
Authenticate a request
Send your key in theAuthorization header on every request:
SDK and widget
The SDK and widget take the key directly — you don’t set headers yourself.WebSocket streaming
Browsers can’t set custom headers on a WebSocket connection, so the streaming endpoint accepts the key as akey query parameter instead:
Keep your key secret
- Server-side keys stay on the server. Don’t commit keys to git or ship them in a public repo.
- Browser and widget usage exposes the key in client code. For client-side embeds, use a key you’ve provisioned for that purpose and rotate it if it leaks.
- Rotate compromised keys by requesting a new one and retiring the old.
Errors
A missing or invalid key returns an authentication error:| Status | Meaning |
|---|---|
401 Unauthorized | No API key was provided. |
403 Forbidden | The key is invalid, disabled, or revoked. |
AuthError — see SDK error handling. For
throughput limits and the 429 response, see Rate limits.