Authentication

Every endpoint except /v1/status requires an API key, sent as a bearer token.

The header

Send your key in the Authorization header on every request:

curl

$ curl https://api.carvector.io/v1/vehicles?make=Toyota&model=Tacoma \
  -H "Authorization: Bearer cv_your_key"

Getting a key

Create a key from your dashboard. Keys are prefixed with cv_ and shown in full only once, at creation — we store a hash, never the raw key. You can create multiple keys (e.g. one per environment) and give each a label.

Keep keys server-side

A CarVector key carries your plan's full access. Never embed it in client-side code, a mobile app, or a public repo. Call the API from your backend and proxy results to your front end. If a key leaks, revoke it from the dashboard — it's invalid immediately.

Revoking a key

Revoke any key from the dashboard. Revocation takes effect on the next request — a revoked key returns 401.

No key, or a bad key?

Missing or invalid keys return 401. See Errors & rate limits for the exact response shapes.

← Quickstart API reference →