Authentication
All CrimeLayer API requests must be authenticated using an API key passed in the X-API-Key request header. Requests without a valid key will receive a 401 or 403 response.
Getting an API Key
Sign in at crimelayer.com, then navigate to Dashboard → API Keys → Create Key. Each key is shown only once at creation — copy it immediately and store it securely.
Using Your API Key
Pass your key in the X-API-Key HTTP header with every request.
cURL
curl https://api.crimelayer.com/v1/safety/San+Diego \
-H "X-API-Key: cl_live_aBcDeFgH1234567890xYz..."JavaScript (fetch)
const res = await fetch('https://api.crimelayer.com/v1/safety/San Diego', {
headers: { 'X-API-Key': 'cl_live_your_key_here' }
});
const data = await res.json();Python (requests)
import requests
r = requests.get(
'https://api.crimelayer.com/v1/safety/San Diego',
headers={'X-API-Key': 'cl_live_your_key_here'}
)
data = r.json()Key Types
API keys are prefixed so you can identify them at a glance:
| Prefix | Type | Use For |
|---|---|---|
cl_live_ | Live key | Production applications — counts against your monthly quota |
cl_test_ | Test key | Development and testing — limited to 100 req/day, no charge |
Security Best Practices
- Never expose your API key in client-side JavaScript, public repos, or browser requests.
- Use environment variables (
process.env.CRIMELAYER_API_KEY) to store keys in your backend. - Rotate keys immediately if you suspect they've been compromised — use the Dashboard to revoke and reissue.
- Use test keys during development so you don't burn your monthly quota.
What Happens If a Key Is Invalid
A missing or malformed X-API-Key header returns 401 Unauthorized. An expired, revoked, or wrong key returns 403 Forbidden. See the Errors & Rate Limits page for full error response shapes.