Authentication
Every request to a /v1/products/* endpoint requires an API key. Keys are tied to a user account and a plan. They never expire unless you set an expiry.
Sending the key
Two headers are accepted. Prefer Authorization: Bearer.
Authorization: Bearer sb_live_...
# or
X-API-Key: sb_live_...Getting a key
Sign up, verify your email, and a Free-tier key is issued automatically. Find it under Dashboard → API keys.
- Go to Sign up.
- Confirm the email we send you. The link expires in 24 hours.
- Save the full key shown on the verify page — you will not see it again.
Key format
All keys are prefixed with sb_live_ followed by 48 hex characters.
sb_live_2c2d68c6fc5996f37cf26a3ca1a5b78a72caaa58af13d352The first 16 characters (e.g. sb_live_2c2d68c6) are stored in plaintext as the key's prefix, so you can identify keys in the dashboard without ever seeing the full value.
Multiple keys
Up to 5 active keys per account. Use one per environment (production, staging, local) so a leak in one place does not compromise everything.
Each key tracks its own monthly request count and last-used timestamp.
Expiry
Optional. Set when creating a key — presets are 30 days, 90 days, 1 year, or a custom date. Expired keys return 401 API key expired. An expired key cannot be reactivated; create a new one.
Rotation and revocation
To rotate, create a new key, update your applications, then revoke the old one. Revocation is immediate.
- Revoke via Dashboard → API keys → Revoke.
- Revoked keys cannot be restored. Create a new one.
What requires auth
/v1/products/:ean— requires a key/v1/products/search— requires a key/v1/stats— public, no key needed