Authentication

The API uses bearer-token authentication. Send your key in the Authorization header on every request. Keys do not expire. Revoke them from your dashboard.

◆ Header format

curl "https://api.coinmarketcal.com/v2/events" \
  -H "Authorization: Bearer $COINMARKETCAL_API_KEY"

◆ Mint a key

1. Open API keys.
2. Click + New API key and give it a descriptive name.
3. Copy the full secret once. Subsequent reads return the masked tail (cmc_live_••••3f7a).

Each tier caps the number of keys (Free 1, Elite 20, Enterprise unlimited), enforced at creation.

◆ Access

Each key inherits your organization plan: rate limits and product features (such as webhooks on Elite+) apply at the org level, not per key.

◆ Safety

• Server-side only. Never embed a key in a browser bundle, mobile app, or public repo. The dashboard exposes the full key once at creation; treat it as a password.
• Rotate when leaked. The dashboard's rotate action mints a fresh secret; the old one stops working immediately.
• Use multiple keys. Mint one key per service (production, staging, batch jobs) so a leak is scoped to one service.

◆ Bad credentials

A missing, malformed, or revoked key returns 401 Unauthorized. See Errors for the full response shape.