Authentication
All CaptureAPI endpoints require authentication via an API key. This guide covers how to obtain, use, and manage your API keys securely.
Getting an API Key
You can get a free API key in two ways:
1. Dashboard (Recommended)
Visit your Dashboard and enter your email address. Your API key will be generated instantly.
2. API Registration Endpoint
Register programmatically via the API:
curl -X POST "https://captureapi.dev/api/auth/register" \
-H "Content-Type: application/json" \
-d '{"email": "developer@example.com"}'
# Response:
{
"apiKey": "cap_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"plan": "free",
"createdAt": "2026-03-17T12:00:00Z"
}Using Your API Key
Include your API key in the X-API-Key header of every request:
# Header authentication (recommended)
curl "https://captureapi.dev/api/v1/screenshot?url=https://example.com" \
-H "X-API-Key: cap_your_api_key_here"
# Alternative: Bearer token
curl "https://captureapi.dev/api/v1/screenshot?url=https://example.com" \
-H "Authorization: Bearer cap_your_api_key_here"Security Warning
- Never expose your API key in client-side code (JavaScript running in browsers).
- Always make API calls from your server or serverless functions.
- Use environment variables to store your API key.
- Rotate your key immediately if it is compromised.
Rate Limiting
CaptureAPI enforces two types of rate limits to ensure fair usage:
| Plan | Monthly Limit | Per-Second Limit | Burst Allowance |
|---|---|---|---|
| Free | 50 | 1 | +5 requests |
| Pro | 2,000 | 5 | +200 requests |
| Business | 10,000 | 10 | +1,000 requests |
| Enterprise | Unlimited | Unlimited | N/A |
Rate Limit Headers
Every API response includes rate limit information in the headers:
X-RateLimit-Limit: 2000 # Your monthly limit
X-RateLimit-Remaining: 1987 # Remaining requests this month
X-RateLimit-Reset: 2026-04-01 # When the counter resets
X-RateLimit-RetryAfter: 1 # Seconds until next request (per-second limit)Handling Rate Limits
async function captureWithRetry(url, maxRetries = 3) {
for (let i = 0; i < maxRetries; i++) {
const response = await fetch(
`https://captureapi.dev/api/v1/screenshot?url=${encodeURIComponent(url)}`,
{ headers: { "X-API-Key": process.env.CAPTURE_API_KEY } }
);
if (response.status === 429) {
const retryAfter = parseInt(response.headers.get("X-RateLimit-RetryAfter") || "1");
console.log(`Rate limited. Retrying in ${retryAfter}s...`);
await new Promise(resolve => setTimeout(resolve, retryAfter * 1000));
continue;
}
if (!response.ok) throw new Error(`HTTP ${response.status}`);
return response.arrayBuffer();
}
throw new Error("Max retries exceeded");
}Key Management Best Practices
Use Environment Variables
# .env file (never commit this)
CAPTURE_API_KEY=cap_your_api_key_here
# Access in Node.js
const apiKey = process.env.CAPTURE_API_KEY;
# Access in Python
import os
api_key = os.environ["CAPTURE_API_KEY"]Server-Side Only
Always call the CaptureAPI from your backend server, API routes, or serverless functions. Never include API keys in frontend JavaScript, mobile apps, or any client-accessible code.
Add to .gitignore
Ensure your .env files are listed in .gitignore to prevent accidental commits of sensitive data.