API keys
All API requests require a valid API key passed as the api_key query parameter.
curl "https://app.airrating.io/api/score?origin=FCO&dest=LHR&airline=AZ&date=2026-04-10&api_key=YOUR_API_KEY"
Header-based authentication (Authorization: Bearer) is planned for a future release. During beta, use the api_key query parameter.
ar_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ar_live_ for production and ar_test_ for sandbox/testing.
Getting a key
During private beta, keys are provisioned manually:
- Join the waitlist at airrating.io
- Once accepted into the beta, you will receive your key via email
- You can also request access directly at [email protected]
Validating a key
Check whether a key is active and retrieve its metadata:
curl "https://app.airrating.io/api/keys/validate?api_key=YOUR_API_KEY"
{
"valid": true,
"name": "My Integration",
"monthly_limit": 1000,
"requests_this_month": 42
}
Rate limits
| Plan | Monthly requests |
|---|
| Beta | 1,000 |
| Starter (planned) | 10,000 |
| Pro (planned) | 100,000 |
| Enterprise (planned) | Unlimited |
429:
{
"error": "rate_limit_exceeded",
"message": "Monthly request limit reached. Contact [email protected] to upgrade."
}
Error responses
| HTTP code | Error code | Meaning |
|---|
401 | missing_api_key | No api_key parameter provided |
401 | invalid_api_key | Key not found or inactive |
429 | rate_limit_exceeded | Monthly limit exhausted |
500 | internal_error | Server-side error |
Security best practices
Never expose your API key in frontend JavaScript, public GitHub repositories, or client-side code.
- Store keys in environment variables (
.env) and never commit them to version control
- Use a backend proxy to call the AirRating API from your application
- Rotate your key immediately if you suspect it has been compromised — contact [email protected]
