Every request to the TCG Price Lookup API is authenticated with a single API key, sent in the X-API-Key header over HTTPS. There are no OAuth flows, no token exchange, and no signing to implement.
Send your key in the X-API-Key header on every call. The key is an opaque secret tied to your account and plan; it carries no prefix and never expires on its own. Requests must use https:// — plain HTTP is not served.
curl "https://api.tcgpricelookup.com/v1/cards/search?q=pikachu&game=pokemon" \
-H "X-API-Key: YOUR_API_KEY"You can keep up to 5 active keys per account. Trying to create a sixth returns 400 Maximum 5 active API keys allowed — delete an unused key first.
Use a separate key per application and environment so you can revoke one without breaking the others. Rotating a key is zero-downtime:
Deleting a key takes effect within a few seconds — keys are validated server-side on every request and cached only briefly.
TCGAPI_KEY.Cache-Control: private, no-store and Vary: X-API-Key, because the fields you receive depend on your plan.For browser, mobile, or any untrusted client, keep the key server-side and proxy the request:
"js-comment">// app/api/prices/route.ts — the key stays on the server, never in the browser
export async function GET(request) {
const { searchParams } = new URL(request.url);
const res = await fetch(
"https:">//api.tcgpricelookup.com/v1/cards/search?" + searchParams,
{ headers: { "X-API-Key": process.env.TCGAPI_KEY } }
);
return Response.json(await res.json(), { status: res.status });
}Auth failures return a JSON body with an error field and the matching status. See the full error codes reference for everything else.
| Status | Name | Response body | What it means |
|---|---|---|---|
401 | Missing key | { "error": "Missing X-API-Key header" } | No X-API-Key header was sent. Add the header to every request. |
401 | Invalid key | { "error": "Invalid API key" } | The key is unknown, has been revoked, or was deactivated. Generate a new one in your dashboard. |
403 | Plan restriction | { "error": "History endpoint requires trader plan or above" } | Your key is valid, but your plan can't access this resource. Price history needs any paid plan; the Free plan is read-only on current prices. |
Once you're authenticated, head to the API reference for every endpoint, or rate limits to see your plan's quotas.