Authorizing and Signing Requests

We want to ensure that calls made with your keys come from your applications. In order to help keep your keys from being used improperly, please follow the security and request signing guidelines below.

Using your keys

All calls to the Marvel Comics API must pass your public key via an “apikey” parameter.

Client-side and server-side applications have slightly different authentication rules in order to access the API. Please read below for the appropriate method for your application.

Please keep your private key private! Do not store your private key in publicly available code or repositories that are accessible to the public. Do not accidentally leave it at the bar.

Authentication for Client-Side Applications

Requests from client-side (browser-based) applications must originate from a pre-authorized web site or browser extension URL.

You may add or edit your authorized domains in your API account panel. You may use the “*” wildcard to denote subdomains or paths. For example:

Authentication for Server-Side Applications

Server-side applications must pass two parameters in addition to the apikey parameter:

For example, a user with a public key of "1234" and a private key of "abcd" could construct a valid call as follows: (the hash value is the md5 digest of 1abcd1234)

Authorization Errors

The following errors are returned by the Marvel Comics API when issues with authorization occur. These errors are returned by all endpoints.

Error CodeError MessageReason for occurring
409Missing API KeyOccurs when the apikey parameter is not included with a request.
409Missing HashOccurs when an apikey parameter is included with a request, a ts parameter is present, but no hash parameter is sent. Occurs on server-side applications only.
409Missing TimestampOccurs when an apikey parameter is included with a request, a hash parameter is present, but no ts parameter is sent. Occurs on server-side applications only.
401Invalid RefererOccurs when a referrer which is not valid for the passed apikey parameter is sent.
401Invalid HashOccurs when a ts, hash and apikey parameter are sent but the hash is not valid per the above hash generation rule.
405Method Not AllowedOccurs when an API endpoint is accessed using an HTTP verb which is not allowed for that endpoint.
403ForbiddenOccurs when a user with an otherwise authenticated request attempts to access an endpoint to which they do not have access.