Authentication · Crawlbase Documentation

Overview

Every Crawlbase account has two tokens, generated automatically when you sign up. Both authenticate the same account and share the same quota — they just route requests through different infrastructure.

Normal token

default

For regular HTTP requests against APIs and static pages. Fastest, lowest cost. Use this unless you need JavaScript rendering.

JavaScript token

Routes requests through a real headless Chrome instance. Required for SPAs, infinite scroll, and any site that renders content client-side.

Find your tokens

Both tokens are visible on your dashboard the moment you sign up. They look like aBcD1234efGh5678 — about 22 characters of alphanumerics.

How to authenticate

Pass your token as the token query parameter on every request. That's the entire authentication scheme.

GEThttps://api.crawlbase.com/?token=YOUR_TOKEN&url=...

curl 'https://api.crawlbase.com/?token=YOUR_TOKEN&url=https%3A%2F%2Fexample.com'
from crawlbase import CrawlingAPI

# Pass your token at construction; reuse the client across requests
api = CrawlingAPI({'token': 'YOUR_TOKEN'})
res = api.get('https://example.com')
const { CrawlingAPI } = require('crawlbase');

const api = new CrawlingAPI({ token: process.env.CRAWLBASE_TOKEN });
const res = await api.get('https://example.com');
require 'crawlbase'

api = Crawlbase::API.new(token: ENV['CRAWLBASE_TOKEN'])
res = api.get('https://example.com')
 getenv('CRAWLBASE_TOKEN')]);
$res = $api->get('https://example.com');
package main

import (
    "os"
    "github.com/crawlbase/crawlbase-go"
)

func main() {
    api := crawlbase.NewCrawlingAPI(os.Getenv("CRAWLBASE_TOKEN"))
    res, _ := api.Get("https://example.com")
    _ = res
}

Picking the right token

Quick decision tree:

Site type	Token	Why
REST/GraphQL APIs	`Normal`	Already returns JSON, no rendering needed
Server-rendered HTML (Wordpress, classic e-com)	`Normal`	Content present in initial response
SPA (React/Vue/Angular/Svelte)	`JavaScript`	Initial HTML is empty; needs JS execution
Infinite scroll, lazy-load grids	`JavaScript`	Needs scroll/wait to populate
Sites with bot challenges (Cloudflare, etc.)	`JavaScript`	Browser fingerprint required to pass

If you're not sure, try Normal first. If the response is missing content you can see in your browser, switch to JavaScript.

Security & rotation

Treat tokens like passwords. Don't commit them to version control, don't paste them in support tickets, and rotate them if you suspect a leak.

Use environment variables — never hard-code tokens in source files.
Rotate from the dashboard — the "Reset token" button generates a new value and immediately invalidates the old one.
One token per environment — keep development and production on separate accounts so a leak in one doesn't poison the other.
Never expose tokens client-side — Crawlbase calls must originate from your backend. A token in browser JavaScript is a token in everyone's hands.

Don't ship tokens to the browser

Browser-side tokens leak via DevTools, network logs, source maps, and shared screenshots. Always proxy Crawlbase calls through your own backend.

Auth-related errors

If something's wrong with your token, you'll get one of these responses:

401 Unauthorized

auth

Token is missing, malformed, or has been reset. Double-check the value and that you're using the right one for the request type.

402 Payment Required

quota

Account is out of credits or trial period has ended. Top up from the dashboard.

403 Forbidden

auth

Token is valid but doesn't have access to this product (e.g. using a Normal token on a JS-only endpoint).

For the full set of status codes, see Status Codes.

Next steps

Rate Limits

How many requests per second your token can handle.

Status Codes

Every code Crawlbase returns and what it means.

Crawling API

Now that you can authenticate, learn the API.