Every request must carry a valid API key in the X-API-Key header. Keys are created and managed in the CleanContact admin console, and only keys marked active are accepted.
Creating a key
- Open the admin console and create a new key for the project that will use it.
- Copy the key once — store it in a secret manager or environment variable, never in client code.
- Deactivate or rotate a key the moment you suspect it has leaked; the change takes effect within minutes as caches refresh.
Public vs server keys
A key meant for a browser-facing form should require a captcha, so it cannot be scraped and abused for free lookups. A captcha-protected key expects a captchaToken alongside the email. Server-to-server keys stay clean and fast with no captcha — keep them strictly on your backend.
# server-side: key injected from the environment, never shipped to the browser
curl -H "X-API-Key: $CLEANCONTACT_KEY" \
"https://api.cleancontact.ru/validate?email=user@example.com"The demo on this site follows exactly that pattern: the browser calls our own /api/validate route, and the server attaches the key before forwarding to the validation service.