Authentication - AirRating

API keys

All API requests require a valid API key passed as the api_key query parameter.

curl "https://app.airrating.io/api/score?origin=FCO&dest=LHR&airline=AZ&date=2026-04-10&api_key=YOUR_API_KEY"

Header-based authentication (Authorization: Bearer) is planned for a future release. During beta, use the api_key query parameter.

ar_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Keys are prefixed with ar_live_ for production and ar_test_ for sandbox/testing.

During private beta, keys are provisioned manually:

Check whether a key is active and retrieve its metadata:

curl "https://app.airrating.io/api/keys/validate?api_key=YOUR_API_KEY"

{
  "valid": true,
  "name": "My Integration",
  "monthly_limit": 1000,
  "requests_this_month": 42
}

When you exceed your monthly limit, the API returns HTTP 429:

{
  "error": "rate_limit_exceeded",
  "message": "Monthly request limit reached. Contact [email protected] to upgrade."
}

HTTP code	Error code	Meaning
`401`	`missing_api_key`	No `api_key` parameter provided
`401`	`invalid_api_key`	Key not found or inactive
`429`	`rate_limit_exceeded`	Monthly limit exhausted
`500`	`internal_error`	Server-side error

Never expose your API key in frontend JavaScript, public GitHub repositories, or client-side code.

Store keys in environment variables (.env) and never commit them to version control
Use a backend proxy to call the AirRating API from your application
Rotate your key immediately if you suspect it has been compromised — contact [email protected]