Authentication, Limits & Usage

CharityQuery uses API key authentication for all API requests. Your dashboard is used to generate and manage keys, while the API itself is authenticated exclusively through the 'x-api-key' header header.

API Key Security
API keys should only be used in secure server environments.

API keys provide access to your CharityQuery account and should never be exposed in client-side code such as browsers, mobile apps, or public repositories.

Always make API requests from a secure backend environment:

  • Server-side functions, such as Next.js Server Actions
  • Backend APIs, such as Express, Django, or Gin
  • Server-to-server integrations

If an API key is exposed publicly, it can be used by anyone and may result in unauthorized usage or exceeded rate limits.

If you believe a key has been exposed, revoke it immediately from your dashboard and generate a new one.

// ❌ Do NOT do this client-side
fetch("https://api.charityquery.com/charities", {
  headers: {
    "x-api-key": "YOUR_API_KEY"
  }
})

// ✅ Do this instead server-side
export async function getCharities() {
  return fetch("https://api.charityquery.com/charities", {
    headers: {
      "x-api-key": process.env.CHARITY_API_KEY
    }
  })
}
Authentication
Use your API key in the request header.

Every API request must include a valid API key:

x-api-key: YOUR_API_KEY

Clerk is used only to sign in to the website and access the developer dashboard. Clerk tokens are not used to authenticate API requests.

Development and Live Keys
CharityQuery supports separate keys for testing and production, but usage counts toward the same account limit.

CharityQuery provides separate development and live API keys so you can test safely before moving into production.

  • dev keys are intended for local development, testing, and staging environments.
  • live keys are intended for production applications.

Both key types count toward the same daily usage limit for your account. Creating separate keys does not create separate request allowances.

Daily Limits
Daily request limits are determined by your current tier.

Each successful request counts toward your daily request usage. Your current limit depends on your developer tier.

If you exceed your daily allowance, the API will return a 429 Too Many Requests response until your limit resets.

Rate Limit Headers
Every response includes headers that show your current daily usage.
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 742
X-RateLimit-Reset: 1767225600
  • X-RateLimit-Limit — your total daily request allowance
  • X-RateLimit-Remaining — requests remaining before reset
  • X-RateLimit-Reset — Unix timestamp for when the limit resets
Dashboard Usage
You can monitor usage and key activity from your dashboard.

In addition to response headers, your dashboard provides visibility into API key usage and request activity. This makes it easy to monitor development and production keys while keeping usage tied to the same account limit.

Example Request
Example request using API key authentication.
curl "https://api.charityquery.com/nearby?origin_zip=28387&radius=25&limit=2" \
-H "x-api-key: YOUR_API_KEY"