Trawley
Reference

Authentication

The current state of API authentication and what is coming.

API keys are not available yet. This page documents the current state honestly so you can plan around it.

Today

The public search endpoints (hybrid, results, export, diff) are reached by scraper ID and do not require an API key:

text
GET https://api.trawley.ai/v1/scrapers/{scraperId}/hybrid?search=...

A scraper's results are returned to anyone who has its ID. In practice:

  • Treat a scraperId like a shared secret. Do not publish it anywhere you would not publish read access to that data.
  • Avoid embedding scraper IDs in public client-side code. Proxy requests through your own backend so the ID is not exposed in a browser bundle.

The chat endpoint is the exception. It is session-authenticated and currently serves the Trawley web app rather than external callers.

What is coming

API key authentication is on the roadmap (tracked internally as issue #45). When it ships:

  • You will generate keys from your dashboard.
  • Requests will carry an Authorization: Bearer <key> header.
  • Existing endpoints keep working. The migration will be documented here.

Building an integration now? Write your request layer so an Authorization header is easy to add later. Centralise your fetch calls in one place so adding auth is a one-line change when keys arrive.

What's next

API overview

Base URL, conventions, and the endpoint map.

Explore

Rate limits

How usage is metered today.

Explore