Authentication
Learn how to authenticate your API requests using API keys.
All authenticated API endpoints require an API key to be sent with each request. API keys are generated from your dashboard and must be passed via the X-API-Key request header.
API Key Format
IPO Guruji API keys follow a structured format that identifies the key type at a glance:
ipg_{type}_{64_hex_characters}# Examples:ipg_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0ipg_test_f9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e0d9c8b7a6f5e4d3c2b1a0Key Types
| Type | Prefix | Purpose | Data |
|---|---|---|---|
| Live | ipg_live_ | Production use | Real, live data from production sources |
| Test | ipg_test_ | Development and testing | Sample data for testing integrations |
Passing the API Key
Include your API key in the X-API-Key header with every request to authenticated endpoints:
curl -X GET "https://api.ipoguruji.com/v1/ipos" \ -H "X-API-Key: ipg_live_your_api_key_here"Authentication Errors
If the API key is missing or invalid, the API returns a 401 Unauthorized response:
{
"success": false,
"error": {
"code": "AUTH_001",
"message": "Invalid or missing API key",
"documentation": "https://docs.ipoguruji.com/errors/AUTH_001"
},
"disclaimer": "Data aggregated from publicly accessible sources. Not investment advice.",
"timestamp": "2026-02-09T14:30:00.000Z",
"requestId": "req_x7k2m9p1"
}{
"success": false,
"error": {
"code": "AUTH_002",
"message": "Invalid API key. Please check your key and try again.",
"documentation": "https://docs.ipoguruji.com/errors/AUTH_002"
},
"disclaimer": "Data aggregated from publicly accessible sources. Not investment advice.",
"timestamp": "2026-02-09T14:30:00.000Z",
"requestId": "req_m3n5p8q2"
}Rate Limiting
Each subscription plan has its own rate limits. Rate limit information is included in every response via headers:
| Plan | Requests / Minute | Requests / Day |
|---|---|---|
| Free | 10 | 100 |
| Basic | 60 | 1,000 |
| Pro | 200 | 10,000 |
| Enterprise | 1,000 | 100,000 |
For detailed information on rate limit headers and best practices, see the Rate Limits guide.
Security Best Practices
Never expose API keys in client-side code
Always call the API from your backend server. Never embed API keys in JavaScript bundles, mobile apps, or public repositories.
Use environment variables
Store your API key in environment variables or a secrets manager, not in source code.
Rotate keys periodically
Generate new API keys periodically and revoke old ones from your dashboard.
Use test keys during development
Use ipg_test_ keys for development and testing to avoid consuming your production quota.