Authentication
All API v1 endpoints require authentication via an API key.
API key format
text
ctk_live_<32-hex-characters>
# Example:
ctk_live_a4f2e8c1d9b3f07e5a2c8d4f1e6b9c3dKeys are prefixed with ctk_live_ followed by 32 random hex characters. The full key is shown once at creation — store it securely.
Passing the key
Include your key in the x-api-key HTTP header on every request:
bash
curl "https://api.cooktool.org/v1/ingredients?q=tomato" \
-H "x-api-key: ctk_live_abc123..."Security best practices
- Store keys in environment variables, never in source code.
- Use one key per application / environment.
- Rotate keys regularly — create a new one then revoke the old one.
- Revoke immediately if a key is exposed.
Error responses
| Status | Meaning |
|---|---|
| 401 | Missing or invalid x-api-key header |
| 401 | Key has been revoked |
| 429 | Rate limit exceeded (see Retry-After header) |