CleanContact
← Back to Knowledge

Authentication & API Keys

Every request must carry a valid API key in the X-API-Key header. Keys are created and managed in the CleanContact admin console, and only keys marked active are accepted.

Creating a key

  • Open the admin console and create a new key for the project that will use it.
  • Copy the key once — store it in a secret manager or environment variable, never in client code.
  • Deactivate or rotate a key the moment you suspect it has leaked; the change takes effect within minutes as caches refresh.

Public vs server keys

A key meant for a browser-facing form should require a captcha, so it cannot be scraped and abused for free lookups. A captcha-protected key expects a captchaToken alongside the email. Server-to-server keys stay clean and fast with no captcha — keep them strictly on your backend.

# server-side: key injected from the environment, never shipped to the browser
curl -H "X-API-Key: $CLEANCONTACT_KEY" \
  "https://api.cleancontact.ru/validate?email=user@example.com"

The demo on this site follows exactly that pattern: the browser calls our own /api/validate route, and the server attaches the key before forwarding to the validation service.