Guides

Authentication

All scanr.ai API requests are authenticated with a bearer token. You create tokens from your account dashboard and attach them to every request as a header.

Heads up — API access is a paid add-on. You must have an active API subscription on your account before you can create a token. If you don't see the API Tokens page, upgrade from Plans & Upgrades.

Getting an API token

  1. Sign in to scanr.ai.
  2. Go to Account → API Tokens.
  3. Click Create token, give it a recognisable name (e.g. my-backtest-notebook), pick the scopes you need, and optionally set an expiry date.
  4. Copy the token that appears. It's shown once and only once — if you lose it, you'll need to create a new one.

Scopes

Scope Grants
read Read-only endpoints — scans, market data, technicals.
write Mutating endpoints — save/delete scans, edit settings.

Tokens default to read if no scopes are requested. Request only what you need.

Rate limits

Each token has its own per-minute, per-hour, and per-day rate limits, derived from your API subscription tier. You can see the live limits and usage for each token in the dashboard under Account → API Usage.

Making authenticated requests

Attach the token to every request. Two header formats are supported:

Recommended — Authorization: Bearer <token>:

curl https://scanr.ai/api/v2/misc/market-status \
  -H "Authorization: Bearer sk_live_your_token_here"

Alternative — X-API-Key: <token>:

curl https://scanr.ai/api/v2/misc/market-status \
  -H "X-API-Key: sk_live_your_token_here"

JavaScript / TypeScript 

const res = await fetch("https://scanr.ai/api/v2/misc/market-status", {
  headers: {
    Authorization: `Bearer ${process.env.SCANR_API_TOKEN}`,
  },
});
const data = await res.json();

Python 

import os, requests

res = requests.get(
    "https://scanr.ai/api/v2/misc/market-status",
    headers={"Authorization": f"Bearer {os.environ['SCANR_API_TOKEN']}"},
)
res.raise_for_status()
data = res.json()

Managing tokens

From Account → API Tokens you can:

  • List tokens with their prefix, scopes, status, last-used time, and expiry.
  • Revoke a token — immediately disables it but keeps the audit record and usage history.
  • Delete a token — permanently removes it.
  • Rename a token.

Revoke a token the moment you suspect it's been exposed (committed to git, posted in logs, leaked in a screenshot). Revocation is instant; any in-flight requests using that token will fail their next call.

Error responses

Status Meaning
401 Unauthorized Missing, malformed, expired, or revoked token.
403 Forbidden Token is valid but lacks the required scope or subscription tier for the endpoint.
429 Too Many Requests Rate limit exceeded. Back off and retry; limits reset on the minute/hour/day boundary.

Security guidelines

  • Never commit tokens to source control. Use environment variables or a secrets manager.
  • One token per integration. Separate tokens make revocation surgical — if one leaks, only that integration needs rotating.
  • Set expiries on short-lived or experimental tokens.
  • Scope down. If an integration only reads data, don't grant write.
  • Rotate periodically. Treat tokens like passwords.
Previous
Introduction
Next
MCP Server

scanr.ai API (dev)