Authentication

Overview

All screenshot requests require authentication via an API key. ScreenshotAPI supports two authentication methods — pick whichever fits your stack.

Authentication Methods

API Key Header (Recommended)

Pass your API key in the x-api-key header:

curl "https://screenshotapi.to/api/v1/screenshot?url=https://example.com" \
  -H "x-api-key: sk_live_your_key_here"

Bearer Token

Alternatively, use the standard Authorization: Bearer header:

curl "https://screenshotapi.to/api/v1/screenshot?url=https://example.com" \
  -H "Authorization: Bearer sk_live_your_key_here"

Both methods are equivalent. If both headers are present, x-api-key takes precedence.

Creating API Keys

Via the Dashboard

1. Navigate to your dashboard.
2. Go to the API Keys section.
3. Click Create New Key and give it a descriptive name (e.g., "Production", "Staging", "OG Image Generator").
4. Copy the full key immediately — it is shown only once.

Via the API

You can also manage keys programmatically:

# Create a new API key
curl -X POST "https://screenshotapi.to/api/v1/api-keys" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production"}' \
  --cookie "session=your_session_cookie"

const response = await fetch('https://screenshotapi.to/api/v1/api-keys', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  credentials: 'include',
  body: JSON.stringify({ name: 'Production' })
})

const { id, name, key, keyPrefix } = await response.json()
// key = "sk_live_abc123..." — save this, it won't be shown again

import requests

response = requests.post(
    "https://screenshotapi.to/api/v1/api-keys",
    json={"name": "Production"},
    cookies={"session": "your_session_cookie"}
)

data = response.json()
# data["key"] = "sk_live_abc123..." — save this, it won't be shown again

The response includes the full API key. Store it securely — we only store a hashed version on our end, so it cannot be retrieved later.

{
  "id": "clx1abc2d3e4f5g6h7i8j9k0",
  "name": "Production",
  "key": "sk_live_your_new_api_key_shown_once",
  "keyPrefix": "sk_live_abc1",
  "createdAt": "2026-03-24T12:00:00.000Z"
}

Listing API Keys

Retrieve all your active (non-revoked) API keys:

curl "https://screenshotapi.to/api/v1/api-keys" \
  --cookie "session=your_session_cookie"

Response:

[
  {
    "id": "clx1abc2d3e4f5g6h7i8j9k0",
    "name": "Production",
    "keyPrefix": "sk_live_abc1",
    "lastUsedAt": "2026-03-24T15:30:00.000Z",
    "createdAt": "2026-03-24T12:00:00.000Z"
  }
]

Note that the full key is never returned in listing responses — only the keyPrefix (first 12 characters) for identification.

Revoking API Keys

If a key is compromised or no longer needed, revoke it immediately:

curl -X DELETE "https://screenshotapi.to/api/v1/api-keys/clx1abc2d3e4f5g6h7i8j9k0" \
  --cookie "session=your_session_cookie"

Revoked keys stop working immediately. Any in-flight requests using the revoked key will fail with a 403 error.

Key Format

API keys follow a predictable format:

The sk_live_ prefix makes it easy to identify leaked keys in code scanning tools and secret detection systems like GitHub's secret scanning.

Security Best Practices

• Use environment variables — Store keys in .env files (excluded from git) or your platform's secrets management.
• Rotate keys regularly — Create a new key, update your configuration, then revoke the old one.
• Use separate keys per environment — Create distinct keys for production, staging, and development.
• Monitor usage — Check the usage dashboard for unexpected activity.
• Revoke compromised keys immediately — If a key leaks, revoke it and create a replacement.

Error Responses