---
title: Authentication
description: How to authenticate requests - pass your API key as a Bearer token. Keys have prefixes, can be rotated, and are tied to a workspace.
order: 5
---

# Authentication

Every request to `https://api.amazonscraperapi.com` must carry your API key as a Bearer token:

```http
GET /api/v1/amazon/product?query=B09HN3Q81F
Authorization: Bearer asa_live_YOUR_KEY_HERE
```

Requests without a valid key return `401 Unauthorized`. Unauthorized requests are free - they never touch your credit balance.

## Key format

All keys start with a prefix so you can tell them apart at a glance:

| Prefix | Meaning |
|---|---|
| `asa_live_` | Production traffic. This is what you want 99% of the time. |
| `asa_test_` | Sandbox keys (roadmap). Return deterministic fixtures, never touch Amazon, never bill. |

The 12 characters after the prefix (e.g. `asa_live_Tq0x4k9Pd8Mn`) form the shortprefix displayed in the dashboard and in our logs - enough to identify a key without revealing the full secret.

## Where to get a key

Sign up at [app.amazonscraperapi.com](https://app.amazonscraperapi.com) (Google sign-in or magic-link email; no card required for the free tier). Go to **Settings > API keys** and click **Generate new key**. The full key is shown exactly once at creation time - save it to your secrets manager right then.

## Rotating keys

1. Generate a second key in the dashboard.
2. Deploy the new key to your app.
3. Revoke the old key.

Revocation takes effect within ~30 seconds globally. Revoked keys return `401 Unauthorized` with `{"error":"revoked"}`.

## Multiple keys, workspace-wide

You can have up to 20 active keys per workspace. Usage is aggregated across all of them - your plan's monthly credit allowance is per workspace, not per key. The **Usage** tab lets you filter by key so you can tell which service burned through what.

## Key hygiene (important)

- **Never embed a key in client-side code** - browsers, mobile apps, public repos are all one-way streets. Proxy requests through your own server.
- **Store keys in a secrets manager.** Not in `.env` files checked into git. Not in Slack screenshots.
- **Use a separate key per environment** (`asa_live_...` for prod, another for staging). When a key leaks, you revoke only the affected environment.
- **Rotate on a schedule** - quarterly is a reasonable cadence. If a key ever appears in logs, git history, or a paste bin, rotate immediately.

## IP allow-lists (roadmap)

Restricting a key to a list of egress IPs will be available on Pro and Custom plans. Write to <info@amazonscraperapi.com> if you need it sooner - we can enable it manually.

## What happens to usage when a key is revoked

Historical usage for a revoked key stays in your dashboard for 90 days under **Usage**. The key itself can no longer authenticate, so no new charges are possible against it.

## Related

- [Getting started](/docs/getting-started) - make your first request
- [Error codes](/docs/guides/errors) - full list of `401` reasons
- [Rate limits & concurrency](/docs/guides/rate-limits) - per-key ceilings