We want to ensure that calls made with your keys come from your applications. In order to help keep your keys from being used improperly, please follow the security and request signing guidelines below.
All calls to the Marvel Comics API must pass your public key via an “apikey” parameter.
Client-side and server-side applications have slightly different authentication rules in order to access the API. Please read below for the appropriate method for your application.
Please keep your private key private! Do not store your private key in publicly available code or repositories that are accessible to the public. Do not accidentally leave it at the bar.
Requests from client-side (browser-based) applications must originate from a pre-authorized web site or browser extension URL.
You may add or edit your authorized domains in your API account panel. You may use the “*” wildcard to denote subdomains or paths. For example:
Server-side applications must pass two parameters in addition to the apikey parameter:
For example, a user with a public key of "1234" and a private key of "abcd" could construct a valid call as follows:
(the hash value is the md5 digest of 1abcd1234)
The following errors are returned by the Marvel Comics API when issues with authorization occur. These errors are returned by all endpoints.
|Error Code||Error Message||Reason for occurring|
|409||Missing API Key||Occurs when the apikey parameter is not included with a request.|
|409||Missing Hash||Occurs when an apikey parameter is included with a request, a ts parameter is present, but no hash parameter is sent. Occurs on server-side applications only.|
|409||Missing Timestamp||Occurs when an apikey parameter is included with a request, a hash parameter is present, but no ts parameter is sent. Occurs on server-side applications only.|
|401||Invalid Referer||Occurs when a referrer which is not valid for the passed apikey parameter is sent.|
|401||Invalid Hash||Occurs when a ts, hash and apikey parameter are sent but the hash is not valid per the above hash generation rule.|
|405||Method Not Allowed||Occurs when an API endpoint is accessed using an HTTP verb which is not allowed for that endpoint.|
|403||Forbidden||Occurs when a user with an otherwise authenticated request attempts to access an endpoint to which they do not have access.|