SpyFu API Authentication

Choose from three ways to authenticate your API requests ranging from super-easy API-key-in-the-querystring to super-secure HMAC-style.

Authentication confirms your API access and protects your account. Since this is made to work with your own systems, you've got different options for how to make it work.

You can authenticate your requests with any of the handshakes listed below.

SpyFu SEO Overview graph, representing the variety of data available in the SpyFu API

Open your account details anytime to find your secret key. You will use it for all API requests.

Get Secret Key

Secret key sent via querystring

Every request can be authenticated by including your secret key in the following query parameter:

api_key=SECRET_KEY

Basic authentication header

Basic authentication is a standard that involves encoding your "SPYFU_API_ID:SECRET_KEY" into a Base64 string. Your SpyFu API user ID and secret key password can both be found under your account details. Finally, this encoded string is sent in the "Authorization" header prefixed with the keyword "Basic":


                                Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l

HMAC authentication header

For even more security, each request can be individually authenticated with a timestamped HMAC (Hash Message Authentication Code) signature. The signature is computed using RFC 2104 HMAC-SHA256 encodings of your secret key, a valid timestamp, the API request path, and all request parameters. Example:


    Message =
        HTTP-Verb + "\n" +
        Timestamp + "\n" +
        UrlPath + "\n"
        CanonicalizedParameters;

    byte[] SecretKeyBytes = UTF-8-Encoding-Of( Upper-Case-Of( SECRET_KEY ) );
    byte[] MessageBytes = UTF-8-Encoding-Of( Message )

    Signature = Base64( HMAC-SHA256( SecretKeyBytes, MessageBytes ) );

Finally, this authentication string is sent in the "Authentication" header:


                                Authentication: UserName:Signature