</>TCG Price Lookup
CatalogAPIPricingFAQDocsBlog
CatalogAPIPricingFAQDocsBlog
</>TCG Price Lookup

Real-time trading card price data and developer API. Live prices from TCGPlayer and eBay for Pokemon, Pokemon Japan, Magic: The Gathering, Yu-Gi-Oh!, One Piece, Disney Lorcana, Star Wars: Unlimited, and Flesh and Blood.

Product

  • Card Price Checker
  • Value Checker
  • Price Guide
  • API for Developers
  • Pricing

Games

  • Pokemon
  • Pokemon Japan
  • Magic: The Gathering
  • Yu-Gi-Oh!
  • One Piece
  • Disney Lorcana
  • Star Wars: Unlimited
  • Flesh and Blood

Resources

  • Blog
  • FAQ
  • Documentation
  • Contact

Legal

  • Privacy Policy
  • Terms of Service

© 2026 TCG Price Lookup. All rights reserved.

TCG Price Lookup is not affiliated with or endorsed by TCGPlayer, eBay, or any trading card game publisher.

All trading card game names, logos, and card imagery are trademarks and © of their respective owners. Pokemon is © Nintendo / Creatures Inc. / GAME FREAK Inc. Magic: The Gathering is © Wizards of the Coast LLC. Yu-Gi-Oh! is © Konami Digital Entertainment. One Piece Card Game is © Bandai / Shueisha / Toei Animation. Disney Lorcana is © Disney / Ravensburger. TCG Price Lookup is an independent card price tracking service and is not affiliated with, endorsed by, or sponsored by any of the above companies, PSA, BGS, CGC, or any grading service. All card names and imagery are used solely for identification and price tracking purposes.

Authentication

Every request to the TCG Price Lookup API is authenticated with a single API key, sent in the X-API-Key header over HTTPS. There are no OAuth flows, no token exchange, and no signing to implement.

The X-API-Key header

Send your key in the X-API-Key header on every call. The key is an opaque secret tied to your account and plan; it carries no prefix and never expires on its own. Requests must use https:// — plain HTTP is not served.

curl "https://api.tcgpricelookup.com/v1/cards/search?q=pikachu&game=pokemon" \
  -H "X-API-Key: YOUR_API_KEY"

Getting an API key

  1. 1Create a free account or sign in. No credit card is required for the Free plan.
  2. 2Open your dashboard and go to the API keys section.
  3. 3Click “Create key”, give it a name (e.g. “production” or “local-dev”), and generate it.
  4. 4Copy the key immediately and store it somewhere safe — it is shown in full only once.

You can keep up to 5 active keys per account. Trying to create a sixth returns 400 Maximum 5 active API keys allowed — delete an unused key first.

Managing & rotating keys

Use a separate key per application and environment so you can revoke one without breaking the others. Rotating a key is zero-downtime:

  1. 1Create a new key in the dashboard.
  2. 2Deploy it to your app (swap the environment variable).
  3. 3Once traffic has moved over, delete the old key.

Deleting a key takes effect within a few seconds — keys are validated server-side on every request and cached only briefly.

Keeping your key secret

  • •Never commit keys to source control or hardcode them in client bundles. Load them from an environment variable such as TCGAPI_KEY.
  • •Never expose your key in browser or mobile code. Anyone can read it from the network tab. Proxy requests through your own backend instead (see below).
  • •Use a different key for each environment (local, staging, production) so a leak is contained and easy to revoke.
  • •Rotate immediately if a key is exposed: create a new one, deploy, then delete the compromised key.
  • •Treat API responses as private. They are returned with Cache-Control: private, no-store and Vary: X-API-Key, because the fields you receive depend on your plan.

For browser, mobile, or any untrusted client, keep the key server-side and proxy the request:

"js-comment">// app/api/prices/route.ts — the key stays on the server, never in the browser
export async function GET(request) {
  const { searchParams } = new URL(request.url);
  const res = await fetch(
    "https:">//api.tcgpricelookup.com/v1/cards/search?" + searchParams,
    { headers: { "X-API-Key": process.env.TCGAPI_KEY } }
  );
  return Response.json(await res.json(), { status: res.status });
}

Authentication errors

Auth failures return a JSON body with an error field and the matching status. See the full error codes reference for everything else.

StatusNameResponse bodyWhat it means
401Missing key{ "error": "Missing X-API-Key header" }No X-API-Key header was sent. Add the header to every request.
401Invalid key{ "error": "Invalid API key" }The key is unknown, has been revoked, or was deactivated. Generate a new one in your dashboard.
403Plan restriction{ "error": "History endpoint requires trader plan or above" }Your key is valid, but your plan can't access this resource. Price history needs any paid plan; the Free plan is read-only on current prices.

Once you're authenticated, head to the API reference for every endpoint, or rate limits to see your plan's quotas.