Authentication
How to authenticate with the Morphemeris API using API keys.
Authentication
Every request to the Morphemeris API requires an API key. Keys are created in your dashboard.
API key format
Keys use the morphemeris_live_ prefix, which enables secret scanning tools (GitHub, GitGuardian) to detect accidentally committed keys:
morphemeris_live_abc123def456ghi789...Sending your key
Pass your key in the Authorization header using the Bearer scheme:
curl "https://api.morphemeris.com/v1/positions?datetime=2024-01-01T00:00:00Z" \
-H "Authorization: Bearer morphemeris_live_YOUR_KEY"const res = await fetch(
"https://api.morphemeris.com/v1/positions?datetime=2024-01-01T00:00:00Z",
{ headers: { Authorization: "Bearer morphemeris_live_YOUR_KEY" } }
);
const data = await res.json();import requests
res = requests.get(
"https://api.morphemeris.com/v1/positions",
params={"datetime": "2024-01-01T00:00:00Z"},
headers={"Authorization": "Bearer morphemeris_live_YOUR_KEY"},
)
data = res.json()Alternatively, use the X-API-Key header:
curl "https://api.morphemeris.com/v1/positions?datetime=2024-01-01T00:00:00Z" \
-H "X-API-Key: morphemeris_live_YOUR_KEY"If both headers are present, Authorization takes precedence.
Key lifecycle
- Create — Set an optional expiration date and allowed origins
- Revoke — Immediately invalidated (may take up to 60 seconds to propagate)
- Rotate — Create a new key, update your integration, then revoke the old one
- Update origins — Modify allowed origins without revoking the key
All keys on an account share the same credit balance and rate limits.
Origin restrictions
Keys can optionally restrict which HTTP origins are allowed. This protects against browser-based abuse when using the API from frontend code.
| Scenario | Behavior |
|---|---|
| No origins configured (default) | All requests accepted |
Origins configured, matching Origin header | Request accepted |
Origins configured, non-matching Origin header | 403 origin_not_allowed |
Origins configured, no Origin header (server-to-server) | Request accepted |
Origin matching is exact string comparison against the full origin (e.g., https://myapp.com). Wildcard subdomains are not supported in v1.
Tip: Use an unrestricted key for your backend and a separate origin-restricted key for frontend code.
Error responses
| Status | Code | Meaning |
|---|---|---|
| 401 | invalid_api_key | Missing, malformed, expired, or revoked key |
| 403 | origin_not_allowed | Request origin not in the key's allowed list |
{
"errors": [{
"code": "invalid_api_key",
"message": "The provided API key is invalid or has been revoked.",
"suggestion": "Check your key at morphemeris.com/dashboard/keys"
}],
"meta": { "request_id": "..." }
}