Authentication
Every request to the Ranktracker REST API is authenticated with an API key. There are no OAuth flows, no session cookies, and no per-request signing — you send one long-lived key on each request and that's it.
How it works
Send your API key in the Authorization header. There is no Bearer
prefix — the header value is the key itself:
Authorization: tkn_usr_your_api_key_here
A full request looks like this:
curl https://api.ranktracker.com/v1/domains \
-H "Authorization: tkn_usr_your_api_key_here"
The same header goes on every endpoint under /v1, for reads and writes alike.
import requests
headers = {"Authorization": "tkn_usr_your_api_key_here"}
resp = requests.get("https://api.ranktracker.com/v1/domains", headers=headers)
resp.raise_for_status()
print(resp.json()["data"])
const resp = await fetch("https://api.ranktracker.com/v1/domains", {
headers: { Authorization: "tkn_usr_your_api_key_here" },
});
if (!resp.ok) throw new Error(`HTTP ${resp.status}`);
const { data } = await resp.json();
console.log(data);
:::note Base URL
All examples use the production base URL https://api.ranktracker.com, and
every endpoint lives under /v1 (for example
https://api.ranktracker.com/v1/domains).
:::
Creating and revoking keys
API keys are created and managed in the Ranktracker app, not through this API.
- Sign in at app.ranktracker.com.
- Open your account settings and go to the API keys section.
- Create a key, then copy it. Store it somewhere safe — treat it like a password.
- To revoke a key, delete it from the same screen. The key stops working immediately.
What a key can and cannot do
Be aware of these properties before you build against the API:
- No scopes. A key grants access to everything your account and plan can do through the API — all of your domains, keywords, competitors, tags, SERP data, and account usage. You cannot mint a read-only or resource-limited key.
- No expiry. A key stays valid until you delete it. It will not rotate or time out on its own.
- Account-scoped. A key only ever sees data in the account that owns it.
Requests for domains or keywords in another account return
404, as if they did not exist.
:::warning Keep your key secret Because keys carry full access and never expire, a leaked key is a serious problem. Use keys server-side only — never ship one in browser JavaScript, a mobile app, or any client a user can inspect, and never commit one to source control. Load keys from environment variables or a secrets manager. :::
Rotating a key
There is no in-place "roll" operation. To rotate:
- Create a new key in the app.
- Deploy it to your integration and confirm traffic is flowing on the new key.
- Delete the old key in the app.
Because both keys are valid at once during step 2, you can rotate with zero downtime. Rotate immediately if you suspect a key has been exposed.
Your plan must have API access enabled
API access is a plan-level feature. If your current plan does not include API
access, authenticated requests are rejected with 403 Forbidden even when
the key itself is valid.
You can confirm whether API access is on for your plan by reading
GET /v1/account/usage. Its response includes an apiEnabled flag in
data.attributes:
curl https://api.ranktracker.com/v1/account/usage \
-H "Authorization: tkn_usr_your_api_key_here"
{
"data": {
"id": "…",
"type": "usage",
"attributes": {
"apiEnabled": true,
"keywords": { "usage": 1420, "limit": 2000, "remaining": 580 },
"dataRows": { "usage": 8500, "limit": 12000, "remaining": 3500 }
}
}
}
If apiEnabled is false, upgrade your plan or contact support to turn API
access on. See Usage and quota for the rest of
this response.
What auth failures look like
Errors come back in the JSON:API error envelope — an errors array where each
entry has a code, a status, and a human-readable detail:
{
"errors": [
{
"code": "unauthorized",
"status": 401,
"detail": "Invalid or missing API key."
}
]
}
The two failures you'll see most:
| Status | Meaning | How to fix |
|---|---|---|
401 Unauthorized | The Authorization header is missing, malformed, or the key is wrong. | Send the key with no Bearer prefix; check for stray whitespace; confirm the key still exists in the app. |
403 Forbidden | The key is valid but the request is not allowed — most commonly your plan does not have API access enabled. It also covers other forbidden actions. | Check apiEnabled via /v1/account/usage; upgrade the plan if needed. |
:::note A common gotcha
A 403 here does not mean your key is bad — the key authenticated fine. It
almost always means API access is off for your plan. Reserve 401 in your head
for "the key didn't work," and 403 for "the key worked but you're not
permitted."
:::
A missing or invalid key is always rejected — there is no anonymous access to
any /v1 endpoint.
Next steps
- Quickstart — get a key and make your first call.
- Errors and rate limits — the full list of status codes, the error envelope, and how to handle throttling.
- Usage and quota — read your plan limits,
including
apiEnabled. - Account reference → — the
/v1/account/usageendpoint in the API reference.