Authentication

How to authenticate with the Pleiades API using API keys.

API Key Authentication

All data and simulation endpoints require an API key passed via the X-API-Key header. Health check endpoints (GET /health) are publicly accessible without authentication.

bash

curl -H "X-API-Key: your-api-key" \
  https://api.pleiadesaerospace.com/flights?airline=QF

Error Responses

Missing API Key

If you omit the X-API-Key header, you'll receive a 401 response:

json

{
  "detail": "Missing API key. Include 'X-API-Key' header."
}

Invalid API Key

If the provided key doesn't match:

json

{
  "detail": "Invalid API key"
}

Security Headers

All API responses include the following security headers:

Header	Value
`X-Content-Type-Options`	`nosniff`
`X-Frame-Options`	`DENY`
`X-XSS-Protection`	`1; mode=block`
`Strict-Transport-Security`	`max-age=31536000; includeSubDomains`

CORS Policy

The API enforces a restrictive CORS policy. Allowed origins include pleiadesaerospace.com subdomains and configured client applications. If you need CORS access from additional origins, contact the Pleiades team.

Keep your key secure

Never expose your API key in client-side code or public repositories. Use server-side proxies or environment variables to protect your credentials.