Getting Started

Authentication

The Decode Hash API uses API keys to authenticate requests. Include your key in every request to identify your account and track usage.

API Keys

You can obtain your API key from the Decode Hash Dashboard. Each key is tied to your account and plan, determining your rate limits and monthly quota.

Important: Keep your API keys secure. Do not share them in client-side code, public repositories, or anywhere that could be accessed by unauthorized users.

Authentication Header

Include your API key in the X-API-Key header of every request:

Authenticated Request

curl -X POST https://api.decode.cowdi.co/v1/lookup \
-H   "Content-Type: application/json" \
-H   "X-API-Key: sk_live_your_api_key_here" \
-d   '{"hash": "9a880505fc5c..."}'

If you make a request without a valid API key, or with an expired or revoked key, you will receive a 401 Unauthorized response:

Response401 Unauthorized

{
  "error": {
    "code": "invalid_api_key",
    "message": "The API key provided is invalid or has been revoked."
  }
}

Key Types

Decode Hash provides two types of API keys, distinguished by their prefix:

sk_live_*Production

Use for production applications. Lookups count against your monthly quota. Returns real phone number data.

sk_test_*Test

Use during development and testing. Lookups do not count against your quota. Returns mock data for known test hashes.

Security Best Practices

1Store API keys in environment variables, never in source code.
2Use test keys (sk_test_*) during development to avoid consuming your quota.
3Rotate your keys periodically from the dashboard.
4Set up IP allowlists if your requests come from known server IPs.
5Use separate API keys for different applications or environments.