API Authentication Guide and Best Practices

API key security is critical. This guide covers how ZipMarketData authentication works, how to manage keys securely, and what to do if a key is compromised.

How Authentication Works

ZipMarketData validates requests via the x-rapidapi-proxy-secret header. This header is set automatically when you call through RapidAPI — or you can set it manually when calling the endpoint directly.

Never Hardcode API Keys

# ❌ WRONG — key visible in source code
headers = {"x-rapidapi-proxy-secret": "sk_live_abc123xyz"}

# ✓ CORRECT — load from environment
import os
headers = {"x-rapidapi-proxy-secret": os.environ["ZIPMARKET_KEY"]}

Environment Variable Setup

# Linux/Mac
export ZIPMARKET_KEY="your_key_here"

# Windows PowerShell
$env:ZIPMARKET_KEY="your_key_here"

# .env file (use python-dotenv to load)
ZIPMARKET_KEY=your_key_here

Rotating a Compromised Key

If your key is exposed (committed to a public git repo, logged in error output, etc.): immediately log in to RapidAPI and regenerate your key. Update all deployments with the new key within 24 hours. Review server logs for any unauthorised usage in the meantime.

Frequently Asked Questions

What happens if I exceed my rate limit?

Requests exceeding your plan's rate limit return HTTP 429 Too Many Requests. Implement exponential backoff: wait 1 second on first 429, 2s on second, 4s on third, etc. Cache responses locally for 24 hours (matching the data update frequency) to dramatically reduce your request count.

API Authentication Guide and Security Best Practices

How Authentication Works

Never Hardcode API Keys

Environment Variable Setup

Rotating a Compromised Key

Frequently Asked Questions

Get live data for any US ZIP code