ValidEmailChecker

How do I authenticate Valid Email Checker API requests?

Last updated May 20, 2026API

Every request to the Valid Email Checker API needs to carry your API key in an Authorization header, formatted as a Bearer token. There is no query-string auth, no separate X-API-Key header, no cookie-based session — just the standard Authorization: Bearer <key> shape that most APIs use. Keep that header on every call, including bulk task creation and result polling.

The exact header format

Authorization: Bearer VECabcdefghjk23mnpqrstuvwxyz234567

Notes on each part:

  • Authorization — capital A, the standard HTTP header name. Case-insensitive per the spec but most languages preserve the capital.
  • Bearer — capital B, then a single space. The space is required; Bearer VEC... with two spaces is malformed.
  • VEC... — the full 35-character key from your Developer page. No quotes, no surrounding angle brackets, no trailing whitespace.

Examples per language

bash
# cURL
curl -X POST https://app.validemailchecker.com/api/verify-single \
  -H "Authorization: Bearer $VEC_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email": "test@example.com"}'
javascript
// Node.js (built-in fetch)
const response = await fetch(
  'https://app.validemailchecker.com/api/verify-single',
  {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.VEC_API_KEY}`,
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({ email: 'test@example.com' }),
  }
);
python
# Python (requests)
import os, requests

response = requests.post(
    'https://app.validemailchecker.com/api/verify-single',
    headers={
        'Authorization': f"Bearer {os.environ['VEC_API_KEY']}",
        'Content-Type': 'application/json',
    },
    json={'email': 'test@example.com'},
)

What goes wrong (and how the API tells you)

IssueResponse statusError body
Header missing entirely401{ "error": "Missing or invalid Authorization header. Use: Authorization: Bearer VEC..." }
Wrong scheme (e.g. Basic instead of Bearer)401Same as above
Header present but value is empty or malformed401{ "error": "Invalid or inactive API key" }
Key is correct format but does not exist / was deleted401{ "error": "Invalid or inactive API key" }
Key exists but is disabled or admin-suspended403{ "error": "API key is suspended" }

Repeated authentication failures from the same IP trigger our abuse-protection circuit breaker. After several invalid-key attempts in a short window, that IP gets temporarily blocked — see API rate limits and error handling for the threshold. Always validate the key format client-side before sending; see the regex in how does the API key prefix identify our keys.

Store the key securely

Never commit the key to source control
Treat the Bearer token like a password. Put it in an environment variable, a secrets manager (Doppler, Vercel/Netlify env vars, AWS Secrets Manager, Vault), or your platform of choice. Hard-coding it in source means anyone who clones the repo gets a copy. If you accidentally commit a key, regenerate it immediately from the Developer page.

No key rotation header

Some APIs let you pass two keys during rotation (the old one and the new one) so requests do not fail mid-deploy. Valid Email Checker does not — it accepts one Bearer token per request. The recommended rotation pattern is to issue the new key, deploy it to your application, verify it works, then revoke the old key. See what happens to in-flight verifications when a key is revoked for the safe ordering.

Next steps

Make your first authenticated callEndpoint URLsKey formatAuth failures

Related questions

What is the Valid Email Checker API endpoint URL?
How do I get a Valid Email Checker API key?
How does the API key prefix identify Valid Email Checker keys?
What error code does the API return when the key is revoked?
Back to all FAQs

Still stuck? Email support